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1 

[t#i*ff*©S5ffl] 

[B#an ^#*>6isai©3W8«#r8a(*6i« 
«BJK*fl5ttl/. ragaatcatftu 

(b) JJEffStSStt. &&H£i£g©IE^tt£*IIS 
L/, 

SMI LfcW«HIS:4»«fftS)»K A* I/TImebxjc** 
**79-f>F»S*4ttU CtitaXHaNCjgi) 

a^g££*«>. *©ta**« &±EV#{kstipjs 

C© JJaH»». iESMKi^ttiWItto 
T« WC J: 0 ±fBB§^<t&HrtS?:£trtif *E*«-Sf L/ 

TSaws*»r. ±E&*Astctf£r**tt©ai( 

[ l«*5 2 ] lf*5 l ©a* WKJimc *ii>t . ±ie 
KJtH,t. asf^A*. »lt/fc±EBia 
1 fc&IW i ±E*«1M*««aSS<c A2> L T 
StfcWiEOTWHc <fc •» r s« $ t, >s c i «kb 

7 7"(d-0) t. lESS**. S#©qHtrt&aftS*s 
StcSftriCiiilflffa^f-y^Cd-io £*E«ca 

[MSB 3 ] 1 Xtt 2 ©a*«SS#ffilCfct» 

EStatc J: (3 88SL"$" ? 7*££<*. ±EXf * 7"(d 

tf. 

HI** 4 ] 11*5 1 Xit 2 0*«ai*ffi«:*jl> 
r> ±EXf-y ^(b)»*±'E^5 > Kg££-5;l/cl3: 
*#«WflHI© 'J * h *fg3l# * h 4 LT&flT * 

*^*?*a*. JbB^f-7^co tt±Esa»y^ k 

[«#5 5 ] 11*5 1 X\t 2 ©H^&H^&tCfcO 

■c. jbiB* ? ^cott±ES^rt§©a8ttsjii£&si 
[a*5 e 3 mm i x« 2 ©»t«*#s<c*i,» 

T, ±E* 7- ? 7 r (a){Cfct»"C±E!a:3SI#«±iBB!r«Hl 
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iJB*^? 7(b) K*l>TJ43*]I*ttJhES9K*ltg4 
, «fttfcS-3lr»T±ESait*ttBU ±E*r ? 7(c) 
Kfcl>T±Efi*#tt±E»«^- * 5r«llB€-C±IBm 

[ »*a 7 ] 11*5 i x b 2 ©a^asesratcfci,* 

5 * v 7*a*. JbE* 7- ? ? (b) tt±E«3R»*c» 

-ra±Eaa»©»«©jEatt*«BM-4^f , 

10 tf. 

[fft*58 ] SS*5 1 ©VHWR&ffifcfcHT. ±E 

**u *n-t*i©»iaiiit#*aiBStt5*it#(cj: 

OffaSft. ±Ei^fttt±E&tt©aittMt#ftItC 

9. ±E^f-7 7*(o ■c«sai#j*±E!aaif : --*'&± 

Ei"J-X©-«|©»«ailt*KKK:aSftl/. ±13*^ 
SPK J: 0 ±E4MttlMt JBl>?Jf**{l:ai(A8t 

20 *wu«*s"j-x{c«*a[#«fflii / . s^is©a#A!i 

Stc «fc 9 ±E&SSfc£*ff S^t 1 ? 7££tr. 

[ii*5 9 ] mm 1 ©**a»#ffi{cfci»T. ±ia 
iBatt±E«a©»tj!iiff«KSK:»siii / r-fn-? t n» 

TS!ftM^a±EiS:Mr- $ *±T©±E»ft*ft*ft 
mcjJMtl/. ±EX7-?^(cD t*±E«IHWai*J**i 

^nAsjix 5ffl#^asi5(c «t o ±E^ft«-ffi8%fli^r 
30 ±Eff#{b&xA8£»i4 cca^jfura-f tfrar- 

^?:4fi5EL. ^fci^sb/c 1 -5©^tJmt+««g(C**. 
[M*ai0] »*58X«9©S-?lSJI^Ktel,> 

r. ±Ea*witt.-±E»ftiitHi*aK>2«±©^ 
«>i*«)fc»J!5U:*»»f^*-r*itta#pittttiitt#a^jia 
. a-r*s. 

[11*5 1 1 ] a&O&H^ISSi, §±E«m«s 

B4i&SiiaK-cai«sn/c*a#iia<b < *±Eaa 

^!£S i MtESflftKrttM § hfc«^aai/^ ? A {c 

40 fct»T> 

&JbE&»ggBtt. 

fnm«JUHfitt©AiiircqHHfci/T«#fuai 

±E«w<fcaarts*±Ea«-caa LrajHtfctff 
fiX-rsasLHi. 

±gBfrfciiis: ; £±iB'gii#^s^^f r €> ^a t . 
±e vsmh* 6 sa b tc±ws m%&&<D±&m!& 
mxictttzf? j > K»«*>6±Eaa©i^B*a9 
so ai»r±EBW<taarts*at»a«(c»r*±E«i 
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#gg©fiiMgS & £Lftl£0l*£8 4 . 
±etO**8 4±EBi#<bf3j£rtg*gfrtt#R4*& 
If- $ 4 LT«t#*B^aHtr 
JJBffMttKU. 

»i Lfc±eiMHis:K:*f 1,75 ^> f»s*4«ts 
*. 

±ESHfr£S»i. 

±E4»lflUc»l61-*a«»c J: •JiKWRf 8 - 
4. 

1 2 ] ft#m l l ©mTfflKf **-A«:*ti,» 
T. JJBaUiHteBttEK:. ±EBHHHJaOTg**& 

4±ES^r- * 4±E«ft««lI^a» L . ±B«tt 
ggSttS-LESgggSfr 6 §m t fciESBH f- * 

A* I? JJB*»««*Wr 

[»*B 1 3 ] tt$9 1 1 ©ttTttMS/X^tcfeb* 
T. JbESXtllBltElc±EltlBKiC^«tQR« 

E«r«fflKac;*©«ii«»**«aE-rssai#»«tt 

3»*S*. *©*fEK£ttr S 4±E7? -c > FSS 

1 4 ] n^i 1 1 ©h*&h->*t Accfet,^ 

T> ±Elfttt«Cai»±E«IM«©WEE(c^«1-& 
£»iE8im>6tt L//c±EtaMr-f©'J * 
HSrSWyahil/TfBsRU ±EJBR««:7*-bXBl 

I6«c^«-r*i4*y^hfpfi»***. ±es«*sii 
< tawjgjWiFr * &&s y * h «tt 

S4*Str. 

[»JjtJB 1 5 ] i##B 1 4©S*&3S->*;rAk:*iC> 

r. ±E&msttM:. ±Kaw©**»»ort»** 

, ±ESM y * h *©S^f - **> 6±E 

* y^am u ■5-©***s@#©t>©T$>.&a>£ft2-r 

5C4(cJ:0@^©SMf : -**5±EfiMy^ htcftS 
[M$a 1 6 3 Him 1 1 Ol^iSS^^tAtcfco 

si-i*. a»©j";-xs«3tifc»w»t«6ai** 

U JJEtMMttJ:etltt©^ftfttt«ttB(CAtfLT 
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«a«iatt±rajaif ! - * *±e^ y -x©-ag©a 

ao s-c 6hfc±E»fttWfa*ffli>"c±EiiW'fiaai 
rts^trtsa*^ y -xtcjtg&a-f #mt- £a#&« 

»*WU ^R©±E»tBttHtSBK*5tt*JbEa 
^99©(I^ffi9tC «fc 0 ±ESSng*fl&. 

1 7 ] M$3 1 1 ©«flBWi/X>AKijt> 

t. J-E*it^s«-en-e t n^^s^n-«tcj:>5 , gii 

10 3hS1Kft©fttfattHf&ll**U JJEttCttMLhE 
ra©£tk&tHS£B tc#M L T *h ^n»tifi-2B^ i 

uTSno^T^nTfeo, «jjBiut«fi«(t±esa( 

f-***T©±E»B«tf«SS»{caifiL. _LE±E 
£tt*&HS*»l*th*ft«93T6hfc±E»tl^ 

^*«oT±EBi#{ba^p , gg%sij<7 tca^ftaiLTa 

-ftftlJT-^&SU ^ ib&sbtc 1 o©_tE»tfc£!t 

i -3©±eaiMHH*s»ta»»6hfc£T©±Ba^ 

20 8P£Wl/T(,>S. 

1 8 ] 1 6X« 1 7 ©m^-JS^^Xr 

AKte^T. JbEa^figgPtt. ±Eattfttt*ttK© 

2«±©^©9i©/c»tui*5i!)^%-rnt*a#^i«e<ti« 

[ M$B 1 9 ] aSfc©&I£^ga 4 . &±E&H*& 
■4E«afitt"C««S*ifcffI*£B4, &±E&1( 

j«rts*iiit«ai©&Hii'ciii^ti/. wftsot 

30 fcS*£flWS«*ftS4. 
SLlESt ; &^S-3-SSL^ai§4. 

. fPJSS4. 

±E«r«isaacft ©!saw»* £ts^i£g^&<g* 
±E«i««ii*>eswti//c. ±Enr«ax«c»-r*« 

S«©^7-f> K»*4±Ea»*A*LT±E^5-( 
40 > KS«*> e.±ESLSt©^S=&K 9 »t»T±E«iHMka 
MrtS?:^tf1f$B(c*fT?»JiE , gii^©S«^*ii?>-5a 

±ebi# fbsmrtSfcfctt- 5±ieta#©s« 4 jjbh 

«©VSWHK>WE(c«ttr S &JbKWI«©»S 4 
iEBg^fbSHrtS^^tfmB^^T 1 - > 4 LT^gt 

iEW«ta»6fii o tc®m u ^ h ©nuc a s©s 

50 Hf f -jr*JflPftr**5*>**aEr*y^h«BE«. 4 



wim 2 o i man 1 9 ©so(«anc*ji»r. e 

Si. ±IBBW<H9fl{rt8i±E*^*aiSl/TjJEBI 

IS X h «^K±eait*S«*>6S<l L fc±E8SI 
yx ^©sany-frfr&.hB* y*ttfflu *©* 

[»*52 13 a&©&H#£gi. &±E&Jt££ 10 
«£E«aWCJ8*tS*ifcWI#SiB£. SJiEJOl 
i fcBgaflBrttR $ tifclftttttlUKStrit 

• &±e&:a(#ea*> 6 &n t - * & u r «t l fc . an- 
#©&H*"c**wt $ hfcBi#{bt8*i>iS*£tJit« t 

L-C±E«l#©»*tl«Er 4*«»*«OE 

Hi. 

MM^fcije^7 , -*©yxh*«i«u ±e%k 20 

*C 7 f Hz X njfcgit&af S&K 'J X h fftjHI i . 
±EfiHttK#j£rr *«fffigtK: J: 0 ±EIW{brt*** 

whb«m LT&n;t©!a3irt§*f# sa^s i . 
±Ea# § hfciswrtSKS-^TfctoKjtTaiw* 

JBtTaftft*. i*£tf. 

[it«9 2 2 ] 111*52 1 ©*it«aitt*h-etm 
fc»»*tt#isi**u ±eimttitJbGtnK©^tt 

$ B±Ef y - X©-ffi©#fjrJlit#£KK: «t 9 a 

ft$n. jbEftfHUHHtns. *h*fi**>3T6*i 
fc±E»ftiWf«*ffli>-c±iE«i^bJ5airt«4dt»it 
«*!/ y -XKHcxa-wiar 5»»a#*a»** 

L/. ^S:©±E»|W»t«BEB«:*»W5±l3»tWI# 
«fflS©a<W9IK: i 0 JLEHSWSiff * . 

[iMta 2 3 j n*«2 1 (ommm&\tzti-?tim . 

ttS«tt-#«cj: 0ta8hS««©»IMItt*«llt* 
1/, ±Et«HiB±E«S©»IMRH«ai»c»«LT 

«SHf«aB±r ©lE»3ll««B*> <5>±E&Hr - f 
*gfiU «0ST6tifcJJB»»Ba«*ffll>r±E 

U *tf>8M>fc 1 ^©±E#&mt^SSB«:£*#t5t« 
TOB9**0T*»9. ±E*©&*fc 1 ^©JbEftfk 

«it««ttii»6tifcftT©±Ba#*iii^- > ta 

[ flt#9 2 4 } it*5 2 2 Xtt 2 3 ©&ft*«a<C* 
l»r. ±E»tta#«ffl«5B. ±E»IWMt«6«©2 50 
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oh©?©^©fc»«±*sttiff4-rn{ia^pi«6^Hffi 
[a^9 2 5 ] a$©8»f gai . siesxttK 

#ggi&lBSffi{i&T8ffi$ftfcSllt«gg*Si£f1i 
flMS/Xf-A (C*» *&I£f gg©&a#«* 3 > f 
a - H-cmft S n y 7 A£EM 1/ fcEflaW*?* o 

(a) &»rtg*git^£!E©&g f 18trei#{bLTBg-Et{b 

(b) £Lft*££U 

(© ±EIMea&©*«*£ftl/. 

ce) jjBn«a^cF«©«««a4nra«fl»^afli 
u 

ENjlQflK(C^r«±E«Hf©^9'r> K»«*6± 
E£Lft©Kff*lKt) »l#»r±EH|^fcaairtS«r$tfl» 

«K«i-6jja««©»«*3H». 

(q) ±Eii#{tia«rt8**t»t»«©i^tttwii,. 

(h) ±EiEatt©*fiEK^»rSi±E«l^fcfi3RrtSF 
***** i ±EfW©«5 St&SIt 1 - if i UTftit 

(i) ±E*8t^&g*>&gte Lfc&Styx KcgE©« 

[»*S2 6 ] nimz 5©E««tt*«:*ji»r. &a 

*«ttEKJbEHaW©***JBr»ri»*# ^SSfefiWS 
X7^7*i. ±EJWHSWrtgi±E*y**ttl,T 
JbEB -*l{b&lll*l§**tf tit$R££l£T *>Xf v7"i=& 
±EXr^7'(i) tt±EI*tHS«g*&*{Il/fc 
iJB&SC y x h ^©ftSai^- **><=>±E* y*«Hi 
l/. *©*y#§#©fc©T**fr*t*$-rac4K:J: 
o a^anf-f^JbEJsai h ©+«*&*** 

iPSSK/ X f A tcte W 4^l+«Kg©^S^)i?r n > f 
a - * vmfit i y' a 9 =3 A EA b tcKOmtV $> -> 
r . JJgfeSMUlBT©* f - 5 ^**t» : 

(a) S±ES;ll#«H*^&Slr- jr i L r »■ Uc. 
*it^©^S®-cBf-f ^bS ia/cB|#{b!a^rtS***t» 

$6 i ±eb#{ b«asrt«**6tt«K»r ita^©^ 

« i * A* L T ±E«S#©S« «IME L . 

(b) JJBffS»»«©ME(C*tt-rii«JJBf9aR«R 

ga> 6S« i/fcjjEisaif 8 - f © y x h ^ts:^ y x i- i 
br^fiKb. *©sai';xh*sa(**«7?-fexpittK 

(c) ±E^BB««c»jSr ««*««: J: »)±EBt#fbrtS 



*SWt«*«*LTi«#©««*iS*ff. 

[n#m 2 8 j m#i2 7 omm^^x . ±ib 
sur^SB-tft-eftgtt ssut^c ct o . 
mkois v ~xmm s nfc^tsmitt^ii^w u . ±ib 

i£«StB±lB$ &©#ffcfllft^£gK#t!l o X z ti?ti 

fmw&mtbxm%x ^ircfco . ±13x^7* 

(c) B&±IB&I£*&g7>6&6ti7c±lBtS:l?T-$£ 
±fB^--X©-^©#txmSt£llgK:«fc'3g{i U * 10 
ft^ft©±fB##x*fr#HgR: J: 0 , mtlaXib titc± 

S©±K»ftlttt#*WCfctf S±IE»»a#il!H8{c «fc 
<9±SE&Hi*l§£f#S. 

[ tt$9 2 9 ] ft #B 2 7 ©IBIi${*K to i»T . ±12 
HtMfttBtt-tti* Witt S*lt#(C <fc 0 H 5 *i* a 

»o»ft«it«ai* w i/ . ±efW«tt±Ba»©fl' 
arehrbo. ±E^f s^(o B*»«aat««a 20 

&f*Wk«>1t 1 o©±fE#ifcSlfr#iitgK:ii 0 , JJE* 
©ft ©7c 1 ^©±IE#fx*ft*§SBBSI©e>tt7c:£T© 

±e a# * ih - * * 0 r ±e &si * 

[ St^a 3 0 3 mm 2 8 X\t 2 9 ©IBSiittttCfcl,* 
r. ±B**-»7(c) B±lE#fx*lt^£B© > 2J£Lh 

©^^fcfcftui^ttfpt-rnjia^ttttiitt^ 30 

[000 1] 

[»9i©B|-r5a»i»W] C©$6WB. ^it->Xr 

A"cr>^-m«E»*tf5Ji*<c. g£ttfcfE«&ii 

[0002] 

[&*©aifi] 8g(£». wt«**Ka5%stijitti» 

©*m* 6 »ffiR#iW»f IS $ *i7c8i ( l XB 2 « 40 
±) CDMtttHRU *©aBR»***tH*tc*;t. A 

[000 3 ] &IB«&Htt. SSertgOfcrlS* 
4©tcaort»S©-C. **#B*CATV«©55D5fl6l 
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[0 004] SStiHI fcbt»"C. 3c£tt&iB2i3:M£ff 

zMfotzn&tbx, ?4VS)\>m%i*mM(M=f-iBi 

lRfa»»»*3tlT*»9. WtB. Atsushi Fu.iioka, T 
atsuaki Okamoto, Kazuo Ohta: "A practical secretvo 
rinq scheme for large scale elections" , in Advanc 
es in Crvptolopv-AUSCRYFT'92, Lecture Notes in Coin 
puter Science 718, Sprinqer-Verlaq, Berlin, pp.244 
-251(1993) , H*ffl!(#Srai«^Hj6-19943 (1994^10^ 

28b&hd im+gtmismRvgim.} tcjjtstvcir**. 

[000 5] C©8E*ffi"C«. fSOfffVitf&XftSv, i 
S« £?# 5 7c©©tu £ L X xi &£L& r, iC<fc9 mi l> 

K»-5l.»rtSW«v,©iEatt*BKLA:a. ttjQK&e. 

r a. &n#v, Bts&sfce, tc^-rs ^7 -r > fs« d, 

*6B»Xx,{c«rsjWWBl#A©»«Vi**«>. c 

#Xx, #jl¥trffi^ A K «fc 0 9£ Siir t» £ C £ £A6i2 
t/C. WXx,«:-t©«*-B5iH-rS. SOfSV.BS 

^©ii#S:x 1 *sg^snrt^ti^B < ts^rtSv,©^ 
*l^Bjiit«CH:»U"rR«**Lfir*. «t#CB 

[0006] 

[»W*s»?^LJ:5i-r5SjS] L-*>L/tt*i6. C©^ 
?.@^©Bg#^:x,*ig»Sn7cCi?rlllgL,. fitk,=Sr* 

[0007] c©»m©ikjb. ?7-r;<->-*ft-rc 
itt<sai*L4rwA t S7c »tt#©^FE^tiee 

ffiu/tttssawKassjwottt*. faffitta^SM^ 

^f'ARt) f *©7EF*fe*»«'r5C4«:**. 
[0008] 

[«a*j»»rsfc»©#a] c©»wrB. ssi^as 
a*rts*«i*©^BBairas^bi/. Mtc-e-©Bg^{t 
aiw*s«tiiaLrtt«ata:tfwti/T, ^©u 

«MKtc»**#wrjM6«l#«:aHtr4.- iS^tS 

ris^b8airtSK»-r*afiP«a*©**««** 
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&m <* htc&m? - 1> © y r k g^oBt^tsnrts 

tt&HFW*^! $ tiX i » ft i>if £ic«. Jttfgtctt L/ 

•caw* * oats, jut, *fhf£MUu ^n-e 
n#«#{t«©-»*«$ u mm±n fe u < »-s 

©aurtSfcux o tar «t $ tc i/c t <u». 
[000 9} c©*wiicj:fttf % BHHtttxAStiSx 
fig^aSTiautiiiioT, sprat, somit 

[ 0 0 1 0 3 C CT\ «<Wfc«tt«lt«**ff»l/T*l 

loon] *tt#*«ttt-r*itf. *ti6*«*-r* 

m b S tiT l » 5 S^rt 8 £ =£3* S ft: w 

-ctf-tc sp*=. 2>*ft#©-as 

b ft I >* «P 0 &HrtS#Bj 6*» (c ft i C & tt 

ftt>. 

[0 0 1 2] *fc. 4MKSftfcJ*tt#ICtt. AHMtSn 
fcg:MrtS* J »S sot, c©if i>< ti-S 

«©iw*M8aofcir»**9 . &K©m«:*©ftiHi 

[00133 Wc. JMt*±*"C& 4 
#. fcKtt. HK^©t8*4«^pIttitt-3"rfc. JEl- 

< miffii«tf ft 9 c ta«r* 5 or. c ©stiffs 

[00 H] 

[ £9J© XMKDJBJtt ] «T<MWfcW©BMB tcfcOT tt. 
ffil/fc*lf»c-3i>T»wr**«. Ititl/fcJrStc. c© 

©g^a/arsa,, 
missed 

"C**. TA©SSI^v, (i=l,-,T) ©gig (SSStS 
SiP?^) ioo (J. iM^gS^AOgg (9¥*3&& 

gi^) 200 £, *fc«tt*c©8« (mm&si 

P?A) 300 £. -?-n-e^lB«jif5S§400 , RVM§e£,M 
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s§4oo zMbxmmmm^AttmRimmzm-isic 
\t. zmmmfimtfftx&zfrzmtmmim. 
mia&sv, xammmiD, zttmLxmatz t>© 
a. MKsaflRsoo «aorMt«c(ciim«ifli 

it s. ttc mft%c&tmft®<D-fi (swyah 
RVfimsL * r ) £&hu , c ntc 7 

i>-fe**s*Jtg-C*Sif£. H3&C01©&H^;^A 

10 HB200 ©fllljfcfll*. S5tcmtt#^g300 ©«fS^«r 

tic. H2AK»WPMfAaq>rb-C 
t»S*ttt y * r 240A*. H 2 B tcSa»tt*5*.fc» 
H#y^ h240B*. H2CCCJBt#C*«flE)aLA:Saia 
T\ *»-3«Stl5©J83iy^ H32QA*. 02DiC£ft&© 

sat y ^ h 32oa^ . m 2 e &cf#mts[ y * r 32ob*wst 

[0 0 1 5 3 GTFCtt. fcK«SI*V, tfa^ffSgA 

20 *-rs*^«:-3i>r«iwrs. 

[0 0 1 6 3 CC-C, 6(T©ttWfCfl6fflSn*IBj*t* 

[0 0 1 7 3 x = €c(v,k fC ) : J*tt#C©l»<WbM» 
(x : Bg^i, v : SMrtS. k^c : *s+^©^^) 
v=p c Cx.k sc ) :»tt^C©a^{bffiS (ksc :«th» 

s = a, co : fcH^V, ©*«fPEEM» ( s : *«. 
e : Bf#{bSMrtS) 

30 d = a,Ce) :awrWtA©^5-f>F»«ff«IW« 
(d : ^5-f>F»«) 

z = C 4 (y) : iS^«S#A©S«tC»-r4^UMS! 
(y :»*. z :!8:MfflfJi) 
e = co»(z,r) :JgSLTO (r : 
y = ^ A Cd, r) : EUfcOaiftSHtt ( d : ^9 -f > F» 
«) 

CC-C. «ft#C©B|^tRI?S«cia#ib5BSSPcttJ3 
ftl©d»Bfll«#*a-ClMBStiri>*t©-C**). -Sift 
#C(ittfl;«kbc ^racff^L/. &nttk, ( «&:K# 
40 tc^B80Tt>at©i^*. *fc. !WHW*^9-'f>F 
»****r*HHC»*»*©-»« »-fe-!?m*a»r"C 
^5-f>Fr* 4 s F»«©fcJ6©«r*!HS4r 
-5) /c&©aSLM^a.(z,r)i. gW-jfc^-OF 
•« dfr&afb$a r ?:^*Lr}ailffliffiz KW-TSjS 
»WS#A©g«y?:K0tb-r. £LttJft&tt£Htt* 
iCd.OI*. S^ ( fiI«A^^fflT?)7'7^>FS€UgS 

a. •M-mmtcifctzbox-bh. c©«t^ 

ft»*M«tC-5l»Ttt. WitfRSABf#©af#<fcB9S 
i^-f-fbM^* 5 * 1 ? (Ronald Ri vest, Adi Shamir, Leo 
50 nard Adleman: "A method for obtaining digital sig 
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natures and public-keycryptosystems" , Communicati 
ons of the ACM, Vol.21, No. 2, pp. 12 0-12 6 (Feb. , 197 
8)), 79"f>K»«***TSfc»©W«!Si:0"C© 
&&KJ:SJi£L©#£&C^t>T©I$ifflB. David Chaum 
: "Security without identification : Transaction 
systems to make biq brother obsolete " , Communic 
ations ofthe ACM, Vol.28, No. 10, pp. 1030-1044 (Oc 
t., l985)K:iaj£§ftTI<»£. 

[0018] mzitmt&mmgioo B#©«t 

rtStiTl**. BitWia tcit^«M50»©WJ!l1«aiD io 
, 4«flrv,#«l*3*va»s. tic. $gf ioo rtrij* 

tt»ia t,cm$tiZ>. ag-^bUno B&H#v, tfSiR 

wc w^sv, * ( c cTttmtf^ffi#scNa ) ast 

#C©AMfH^c"CB|<Wbl/. MXx, = € e (v, 
ffS. * y#6&8lHl*£l»t,£3&£U *©SLttt,tt 
SXtfv, ©asWai-j-c t>s * ft. LtflBfio J: 5 fc&ffl 
sn*.. aw** 4 ji^t, tatsiz-cz, = 
x, i t,*ta*rs. cm. z,*s:iuitt4i>fc&c4{c-r 

5. SL$#S£§120 BSlRr, jSSli§130 B 20 

75 F*g©fc«>©IME3<!: l/C. ^SLM^e, = co 
. Cz, , r, )CC«t 0 &gffltKz, £SL&r, -CJSgLLIS&ffiSCe, 

V,©fc©r*.&C4£^-r;fc*©»Ss, = a, (e, ,1ft) 
£. r-£<e, ,s, ,Ift> BjS£fi8Pl30 frhft 
(ISS400 ^M/-CjS^ i tS#«g200 (cgfisns. M 
ftSS400 KJ:Sjfi^JI#gg200 &©&ftti. il^tt 
*#gSB200 #&M ZlnZfcm 

[0019] Sl»jafl#*S3l50 ttjMttSMH&OO 30 
* & SPiso tc <£ 0$fiLfc^5 -Y > KS« d, *» 6 
SL»r,*tt-9-CSL»JSR^»4M»V4 = 8* Cd« ,r, )tC«t 0 

mum*®* l . * ztmm&z, cc^r z>mm<g m% 

A©S«i UT» S. €£&2SBl60 ttttEHftz, = { 
.CvO *J«ir&*»*«tt , r*c4K:J:0vi*»iEa , c* 

SP170 «mst*«S300 K7*-feXl,TiM£<ig|5l80 (C 

<k o fi tc&m ') x h 320A*«^-r a. 

[0020] 124 (Cot? a9ffS3£S200 Ifffttf © 40 
'ftStlttfflft #*aE»3ftfc**#y* F240A (El 2 
A) i. SM©miS?r^x/cSM^i^lJtf$Slft tttt 
iitf83l# y * h240B (132 B) i*Ef*-r*7c*©IB 
tt.SP240 4. &X*fe&3MUfcWH1ffttlft 

nctt-»-c(,»s*>*«aEr*»a(*«aE»2io-4. 

SOTbfcaiWOlM&JRe, test? *&!&©*£ s, # 
E L l>ft>$WENttei =«: , (s, )rt*J3ffi-f •&*>«: J: 0 tftS 
-r-SS«^SSS220 4. jE£te&]E#*IBttflS240 ©Bf 

5E©«*jc#*&<,-c8ai# y ^ r ifMS'T *«aw y 



WH2.00 0-2 0748 3 
12 

, = a. (e, )*4fiS-r S»*f¥fi»2304 . &SS#gg4 

©f s -*©aHWt«:ff 5a»»W25o 4*wurt,»s. 

[ 0 0 2 1 ] 0 5 fC^T<k 5 K, JUftf£B3po B&H 
#£|glO0 #>63:fiSG360 tCiOSfiL/c&Mr-SKz 
v,>4i©8fllffitKz.4S4kV9*A©*«yt(c^0tt 
■EHRC.CvO *«6->Tz, = «;.(*) jWdBWSfrfclft 
2TSC4KJ:9g£y,£&ETrSg : g&$gB3io 4. 
WW hfWE»370 tCfcOfellx-iXz, , y,>KaL 

#^q, *ff tf-tsai y ^ h 320A (a 2 c > tea*. . 

t SIS1SSS320 4, &gJBIKz, =x, 1 t,*6«^*x,* 
#g£-f£#!iS|5350 4. jftfr&oiftKttk,, ttt-a-ca 
#MSS[Pc {C«fc0x t ^ffl#l/rv, = p c (x, .ks.) 
rtg4Lrff^a#<bS330 4, t83Sl**gv 1 £SlBt-fS 
Hit2§340 4£Wr5. Sfc. fSt£gP320 tc^snx 

i>4tssi y x r 320A©jiL/## q t,m&t asm?- $ 
tea 2 d tc^r «t *> cca^ $ n/cSM^v, 

«IMSI«*ia2EH:^rJ:5K:*flW (cwft; h=i, 

2,... ) ©?SSgfcC&Ch=l,2,... ) £®m >) x h 320B4 

t/T Ett»32o it&ft $ n . as? y ^ h 320A4 ax d 
»#««ioo«:2ifisn4. 

[0 02 2] feTF. C©»-©jl»J^4sW2.tS:X©^ 

Xf^^Sl : an^v.tt. iJ^^gioo (S3) 
tc«fcoan<WWttfclT©J:5Jcff9. 
[ 0 0 2 3 ] *f ? 7-Si-l : SM^V, tt. SKrtSv, 
?:Bg^<tlliio "C»lt«C©fl}Hfllk,« 44H^fbHtt€ 

Xi = lc (v, , k,c) 
Z) = X, 1 1, 

>d^t,B«AHSi»r*»). tsai«v,©**ja 

£©4>©T?4>SC 4**0-3X1,^. 
[ 0 0 2 4 ] * r y v'si-2 : SSSSv, B. SL&£)S1§ 
120 *ffll>TSl«T,*4BSL.. mSl30 tflH»Tz,« 

e, =<i) A (z,. r,) 

[0025]7fj ^Sl-3 : SM^V, B. #«fffiXS 
I40*ffll,>r. ir^S^e, 4Hk8WHRlft tc*tT5^« 
s, =a,(e,. ift) 

*ff)SL/> f r -^<e, . s, . lft> &m%:ts%>T90 *>?>S 

^f^S2: jS^Sil#«ffi200 (H 4 ) B . St» 
Sn/c^H *£v, 4-5-©iaj?iJtt^Ift ©M«*ia 2 AK 
^■TJi^KWfil^'J^ I-240A (02 A) iLt^*WU 
TfeO. Hfc. «3R©*B4#*yt*«l#©««rv,XH: 
!OTt$gift K^gP260 KJ:*)#jpia«r 

fc&CSIS 'J ^ h 240B ( 13 2 B ) fcWl/TUS. !S:X 
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fetiBNuiiflMiQ geiats. aa->x7\4>io-a> 

SMttiD, X H240B (02 B) tc«i&fcc 

BffliE»3irCl,»fcl,». a¥«aa£K200 (ckO* 

[ 0 0 2 6 ] * f - j 7*S2-1 : i8£«a£ A B. 
jWrt§tr*SC£*. W*t£yxl-24OA(02A) tc 

^-caat*. tokwntf. a$sa#ABas*£ 

St 5. 

[ 0 0 2 7 ] Xt"? 7"S2-2 : jtfPf 9*AB. Ctitt 
. 1&{cS^v,#a*tfa#AK:***SfcSW-ct»5*» 
S**. 8flWyah 240B(H2B) tcio, «K1? 
3i**iTi>**>*Sa*ltlKB2io cc«fcOH' < < : c*«Et 
5. feL. ID, JWRfc*B3#ra»fcitr&tf.- 31*WS 
#Att^«fi3K4 L-C*B«§StS. 

[0 02 8] Xf-?7"S2-3: ID, #*/c*#jASttT 
JfcWtlB. 9**3* A B. S£fcSif220 tffll»T. 
s, <!: e, , ID, 
(e, , ID,)=t,(s,) 

AB. e, 4*Sfl3RS230 JCSt^r. g«d, 
d, = a. (e, ) 

*U*U d,££5HfSP250 ^P>a»«^aiJ0O tCiH{g 

1 5 a«#.y ^ hftifttao tcj; 0 ietf.gP24o 

rt©Sa» , ;Xh240B(B2B) CCftliav,©!* g& 

finti. 

[ 0 0 2 9 ] X *■ -j 7"S2-4 : fi*«fl»7l». 
B#AB. h240BtStl««!*fi«t*. ^ 

ffi*©awiiB*^b"CjWMBi«ai2oo ©iew^o 

rt©J8»fy* H240BtC7*-feXlU&&r£>£C££Sfc] 
0-Cte<. C© 'J *h^©T Wilif* 

m%>)* h24OMM»ii9fBiW«a«SBl20O ftrft 

X f y S 3 : aa#v, B. &I?#iSglOO (03) 
KJ: 91«att£*©»Stlltt*ttT©J: SKffcfct 

[0 03 0] Xf-f ^"S3-i: aS£gv, tt. d,£r,£SL 

tSSv, 

V, = Sa (d, . r, ) 

[ 0 0 3 1 ] Xf ? 7-S3-2 : SI^V, B. gS&$S§ 



(8) WH200 0-2 07483 

14 

160 ifflnt. v,*ia^«atA©s«r*ici!& 

z, = t.(y,) 

jM5SfitSjWc<fc»)*Bt*. to. *£ttr*ofcfc 
6, SJI^V.Br-iKe,, d, >4*f C t K «t "5 , 
^a#A©*IE££3Rt*. 

[ 0 0 3 2 ] X r » 7S3-3 : JfiXSv, B. f5i2S«BI 
i8#-&&-C*ftBgg{IgBi80 ^e>T-^<2,, y, >*si 
ft«i£g300 tcjlflggsoo £iILT&{rr S. 
Xf •» 7'S 4 : «It#CB. mt+#SH300 KcfcOW 
io T©J:5«:bT**ajWa. 

[ 0 0 3 3 ] Xf v 7" 54-1 : SttfCB. aa#*>6 
g(IgC360 <CJ:iJtJai7 e -5r < 2, , y,>£g(IU 
$2§3lO 4ffll»Ty,jM9»fflttz,(C»tajE£&»S"C 

z, = £»(v.) 

^gEfitS^^actiCitCiOJiSti. &U £ 
«<c 6 tf . IWWh fBS»370 tc J: 9 «* y" * h 230A 
(H2C) K. *ftttU!>&flUMfe K~ 
a©*aq(C«fc»)»attl**U a^r-$<q, z ( . y, 

20 > ii/cww*. 

[ 0 0 3 4 ] X r » 7S4-2 : t-<T©am SlSt* 

CBjMsasiJ38o £ai/-cfiettSB32o tcrdnzxnjfigi 
Tsci^^otaaiyx h320A*^rs. coaay 
x h BT*«T©8a#*> e. r f -fe x as njttr * * it 

i. &SKfr8Bfir&©a3!?#y X h 2 4 0 B©t§-&£|§3 
««:. fi&XBH. &g|JSj?r, *rF©£*DbT:fc<. Xr 
» 7" S 5 : a«^v, B, aS^^glOO K.£K) OT© 

[ 0 0 3 5 ] X f » 7'SS-l : a^#V, B. iiSfiSBl8 
30 0 tcJ:"3M§+^^a3oo ©ettfltao *7?WL. a 

a y x h 320A©^«:^ff l. aayxh 32Q4c&t!i<i 
n^aa©»^step 2-4-c^3ia/caa«©»i-a 
t5*»*a«aESi7o r^a-rs. fee. *£«&e> 
#aQia»r,*4«i/T. a»«aaA©^3E* 

£5Rt5. 

[ 0 0 3 6 3 X -r » 7S5-2 : a^#v, B, @ 6©aH 
S170 t?^ST2». ^©^SiL-c. z,*©fc©#yx 

40 t,#@#©fc©T*S*>&2L,T fcL, JStSS 

aaT 1 -*^,. y,>^L.r, ^st^ 

C©^FIE?rS55t2». 

Xr -^S6 : att#CB, &8t3£iK300 (Cfctm 
[0 03 7] Xf7^S6-i: S(IS[5360 Jc «t 0 

v, ^©aMffiifaz, i m& y, ©saHtea. miB^iE© 
afti^sfjEi^ifflrtJc^wtiB. atf-j&cB. 7>gtsP35o 

50 v, = p c (x, , k, c ) 
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Sv, ifi^toWfr LtcffliZm&wlXitSm 4 ft T l> 

s*>*«aTs. ftoTi>ft»n«jijai^iisti4. 

[0 03 8 ]Xf-;ys6-2: MHfCtt. B2 COS 
£'J* h©ttam*tMtt340tJBL>T*ltl/. & 
««tc»-r 4«*«*frc. *©&g£0 2 E tCSTl* 

f 1 - * <x,, t, , y, >iC)tt b® 2 D {CtpT J: 5 K . v, £ ilflO 

-rs. «itii*«iaaiy^ h320AKswixr4HS-r4. 

* f » 7' S 7 : &g#v, «, UBioo tc «t •) Jg 
t^C©&ftjWEU»C4«:lli8TS. ^$'302 Ctc 

fcfi:£#V,©x, 4v, i^jSl/tt^/P^JtS-r-S.. 
[0 03 9] ftfc. ±&z?y?S5tt&1&b-Ci>J: 
i>. etc.. a?-*:/s«KfcW*»iHfc'j;i h©£SE. 

[0040] BiraiOittewirttjasi^v^mif^ccDBt 

#ftM8Uc 4«-3r8!»rtSv,*x l = «cCv4,fe,) 4 
«WlbU JIIMfCtCSai^-jKz,, v, >£££©?. 
*ft^Ctt. t>L/*©ofciJtcfth{*Step 4-2-CJS3R U 

Tz,$©x 1 £a-5fiig&v ) = /o^x, , k«){Cj:»3a#Lr 
vj*»4Ci*«-C*S. BPfc. SSUMrO&PltfSfc 
■fK®m<Dm> fc*tt*fc£©til**»T. *©tt« 
4fiSC©J(IWS»*Jffl5lt(c4$£ftAK:ii6TC 4#T 

m *tf#^«3oo tf&wi/fctte. &n 

«TTti«ft©*tt#K: J: 0 Zti?ti<gm g *isa&© 

jiit*&rej:9iratiUQ*i8*aret/. «tr*c 

4 te J: 0 C*i6©j*(con-c*« LfcHMifllfcBiWT 
[004 1] CCT, ^ftJttf«oe#HCi!(IS^bn 

^ c>*»«[ie.ffisik, t1 -ca^«ffli*fTft 5 

^M&JIKsMS&AttK: l/ft l^flu (2<u« ^O^SfiU - 

S»© 1/ # I »fMfcMMMt##* $ ft gjfjgft J; *, 

ftfc©4f£. C©«t5ft©#BBttK-3i»Ttt. m« 
El Carnal Bb-# (Taher ElGamal : "A public keycrypto 
system and a signature scheme based on discrete lo 
garithms " , IEEE Transactions on Informatoin Theo 
ry, Vol.IT-31, No. 4, pp.469-472(July,1985)) ©1§# 

fl:M«4a*HtHa*i*0. c*i©»ftt,fc«*HHcj: 

tt, Yvo Desmedt, Yale Frankel : "Threshold cryptos 
ystems " in Advances in Cryptology-CRYFTO'Sg, Lect 
ure Notes in Computer Science 435, Springer-Verla 
Si Berlin, pp. 307-315(1990) tttBiJiSftTHS. 
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r. ccommmv\t, ^n^n©^#«aioo #mm 
s§4oo *rt-Lr*iswiA8K2oo mmzti, turn 
itss5oo imbx i -xmm&EiamstizgMm 
lmumtmc-ckztK aMs±©*fts^tt % a&© 
atraaitMo, (i=i.-,u £n r #ttjutti£a4* 
*) ^«xiiff#«a3oo,tt^r©SM#*^© 

Bfr9*x, £a^MS LTx, , *£«U ^©»K»ft« 
10 8lt3(ntC£9, IQttKj*g©^ttMlt«S|fl|3oo l l2 
it bu ©#ffcftlt;gga 300, . , *s fca-^MS r - * 

xm.i ta^aaorx,, t&ssu '£©#tfcait^$s 
■socMtcaa. *«©»««it«gar30(j k (cj:4a# 
«c «* 9 fla-c&nrtSv, am en*, m 1 xim* 
ki*{c, ii{f?84oo fcaor&iiaiJtBiDo,**? 1 --** 
*a*itK2oo a^#v,©is6siittfaiD, 

£118300, KiMittett. ttSOUHHiDk £ttttftl>. 

[0042] a«s/-*">^«K>«aai*R«ioo, ©« 
20 a^d«ga2oo©iiism4'BaiffH^a3o 

0 *#tx*it$$Sa300 i«eWi*iHW-c*4. 

ttc. *SB»ttfta©&M«k, c ^Soteiftgv, 

*x, =C(v, , fcc)fc £Qlf4Mtt«A6*l HMM4H 
Ufl©^ftfHMIIfcci. k se ». fc„**ft*h*L 

asoa^^riiBi^Xx, *> 6SQRA$.v < * ft 

t>. Bg-^->^7 u A4LrB5iili©ElGanial 
»^«. COJc^ft^tftl^ks,,, 

30 w*tf c*i^©«©tt©*wa**fiH«i^ ( tc^tie-rsfi 

S^iksc ©ffi49Kft4«fc5CC^ft5C4*5rt-5C 
4 *5|5ato Desmet-F rankel ©XHttC^ ?ilTt>2>. 
[0 04 3] El 8 A liJSSS^BlOO, -100, ^ 6 ©gJR 

*Jwiira»i»iiMit«6B30ft©iWE*s%L. 

^SSI5310 4. getf.S|5320 4. «ftS340 4. #881535 
0 4. »WI#«SaS331 4, S(fgP360 4. SHRi;^ 
hf¥fiRaJ370 4. i£g(ISP380 tiwori**. 15 iC 
7j^L/c^ 1 ^Jft«©j|lt#Sai300 4 «&©■£?»& 

mite, ftftmmmwm K*t»ri»xx, 
i%c,)fcj:»)a#*Ra7 t -*x 1J ^^o. -t*i**o 

»jt5t«fH^a300,{CjSI5C4-C*S. m2tC. *ltS 

««a©»iHiif*««3ooi,*>&a#«j(rtSv 1 ^§ft 
^a 300, - 3oa am j ^ftm^ga ( 2<i< 

U) ^K^L/rUSBtC^-r.teitc. #tia#teS5f533l 
*WT*fc-WC* t) . ttl5©»txi(lfft^a300 1 *i 

e>s<t l fca# tnf*- * x, , ictt l . ^ttttnak 

iC i ^^oTa-f^Sx,, = p c1 (x,,., , k sc1 ){CJ:0a 
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g30Q, TttmUBMx, . = p e , (x, , , k, c „ )(c «fc r, X) . 

zmmmv, in 1 af»t.tt*stft3ooktc& 

[0 044] C<D%2$mWlcmi>8m<D$.M>S:7f; 

vs 1 frhzy- yfs 5 ivo^mt^c^mafimj <* 
ns. Wei, s&ft^gioo, upt&mr-jKz, 
v, 5 ©am 1 ftftattfiiKMO! -c* 5 1 o 4 

?s. C©ft2ftft^ftlftJifl©;i?-.,:7S6. s 

7 *«to ± 5 tc^M uc tor* 0 . u«»tasii-# 

X^^S6 : ^ttJBHfc, d=l,-.u) tt, ftffc 
[0045] 5 7-S6-1 : ft l ^ftxHtt^asOO, 

b, -sta^^sioo, (i=i,-,-o^e,©aM7 r -$< 

Zi , V, >#©z, =x, II t, £7j#gf!350 r Bf #S[x, 4 * ^ t, 
K»*U #t«i*g!k stl £goT#tx«^MgiS|3330 

Xii = Pci (X, , kjc,) 

ifWif-Jx,, *»r. cti*%©ft2£ 

[0 046] fclTHJftK. ft j #fSftft*gea 3 00 ( t2* 
i-l&ifcft It^£|g300, . , #> 6 ©a# ^ 7 s - ^ x , 1 . ! 
K»U atHWftl*,, *tt^T#fta#ftft»330 JC 

*1 = Pci (X, . kjc.j) 

H8t*EHS300i O K:jai5. 

[0047] ft»®*u»iauf«ttB3ooba. sru-i 

#fixfti+:g3£g*> 6 ©a*$lig r-*x lu ., tc*f i^t* 

[ 0 0 4 8 ] 7 7-S6-2 : »U»ftfttt#c;tt, & 
ftfigv, *ftft3S340 *fflt>Tft8tU *©|»*^« 

4 4 *>te; ^Mrtgv, y * v tz&mtz. 

Step?: Sft^V.tt. &ft#£gl00,(CJ:9ftU#tS! - 
ftit^gg 30a ©&ft#iE U > t 4 £ {ts2T •£ . 
[0 049] COttJC. ft2£ft0rCBa#fta€ftg 

©»tant«K«3oo, -30a tc «t o jt^f (,» . *»©# 
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(54) {Title of invention} Electronic voting method, voting system and program recording medium 



(57) {Abstract} 

{Problem} To eliminate the need for a voter to send the key 
used to encrypt the content of the vote to a counter. 
{Solution} A voter Vj encrypts the vote content Vj with the 
public key k PC of a counter C, associates a tag tj with the 
encrypted vote content Xj to obtain zj, randomizes z» using a 
random number T\ to create a preprocessed text e is and sends a 
signature Sj for that preprocessed text and the preprocessed text 
ej to an election administrator A. The election administrator A 
creates a blind signature d, for the preprocessed text ej and 
returns it to the voter Vj. From the blind signature d is the voter 
obtains the election administrator's signature information y\ 
with the effect of the random number rj eliminated therefrom, 
and sends the vote data <z l) yj> to the counter C. The counter C 
verifies the election administrator's signature y u and verification 
is successful, creates a vote list containing the data <Z\, yj> and 
discloses it to the voters. The voter V; verifies the vote list and 
confirms that data <z is y;> matching his own tag tj is present in 
the list. The counter C decrypts the x { in zj to obtain the vote 
content v is and counts up the number votes for the candidates. 
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{Scope of patent Claims} 

{Claim 1} An electronic voting method whereby voters obtain 
approval for a vote, from an administrator and then send vote 
data to a counter device and the counter device counts the votes, 
comprising the following steps: 

(a) each voter encrypts the content of his vote for selected 
candidates by means of an encryption device using the public 
key of the counter device, randomizes information containing 
the encrypted voted content with a random number to generate a 
preprocessed text, and sends that text to the administrator 
device; 

(b) said administrator device confirms the legitimacy of each 
voter device, 

inputs the received preprocessed text into a signature generating 
device to generate a blind signature for the preprocessed text 
and returns it to the voter device; 

(c) each voter removes the effect of said random number 
component from the blind signature for the preprocessed text, 
determines the administrator signature of said administrator for 
said information containing encrypted vote content, and 
transmits that administrator signature and said information 
containing encrypted vote content as vote data to the counter 
device; 

(d) said counter decrypts said information containing encrypted 
vote content by means of a decryption device using a secret key 
corresponding to said public key to obtain the vote content, and 
counts up the votes for candidates corresponding to said vote 
content. 

{Claim 2} An electronic voting method as per Claim 1, which 
further comprises, prior to aforementioned step (d), a step (d-0) 
whereby the counter inputs the received aforesaid encrypted 
vote content and said signature information into a signature 
verification device to verify that the preprocessed text has been 
signed by said administrator, and publishes a list of information 
containing encrypted vote content, and a step (d-1) whereby said 
voter confirms that his own encrypted vote content is present in 
the list. 

{Claim 3} An electronic voting method as per Claim 1 or 2, 
wherein the step (a) of randomizing said information containing 
encrypted vote content comprises the step of generating a tag 
known only to said voter and the step of associating said tag 
with said encrypted vote content to randomize it using said 
random number; and wherein said step (d-1) comprises the step 
of separating said tag from the vote data in said list and 
verifying whether the tag is one's own. 

{Claim 4} An electronic voting method as per Claim 1 or 2, 
wherein said step (b) comprises the step of publishing a list of 
information representing voters who were given said blind 
signature as a voter list, and wherein said step (c) comprises the 
step of confirming that information representing oneself is 
contained in said voter list. 

{Claim 5} An electronic voting method as per Claim 1 or 2, 
wherein said step (d) comprises the step of publishing the results 
of counting said vote content. 

{Claim 6} An electronic voting method as per Claim 1 or 2, 
wherein, in said step (a), said voter appends voter identification 
information to said preprocessed text and transmits it to said 
administrator device; in step (b), said administrator confirms 
said voter based on said voter identification information; and in 
step (c), said voter transmits said vote data anonymously to said 
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counter device. 

{Claim 7} An electronic voting method as per Claim 1 or 2, 
wherein said step (a) comprises the step of generating a voter 
signature for said vote and transirritting it together with said vote 
to said administrator device, and wherein said step (b) 
comprises the step of verifying the authenticity of said voter 
signature for said vote. 

{Claim 8} An electronic voting method as per Claim 1, 
wherein: said counter device comprises multiple distributed 
counter devices connected in series, with each distributed 
counter device being administered by a different counter; said 
secret key is split up among said multiple distributed counter 
devices and assigned as a distributed secret key to each of them; 
in said step (c), each voter transmits said vote data to a 
distributed counter device at one end of said series; and said step 
(d) comprises the step whereby said counter devices in series 
successively perform decryption processing of said information 
containing encrypted vote content by means of a decryption unit 
with which each of them is provided, using said distributed 
secret key, and obtain said vote content by means of the final 
stage decryption processing. 

{Claim 9} An electronic voting method as per Claim 1, wherein 
said counter device comprises multiple distributed counter 
devices, with each distributed counter device being administered 
by a different counter; said secret key is split up among said 
multiple distributed counter devices and assigned as a 
distributed secret key to each of them; in said step (c), each 
voter transmits said vote data to all said distributed counter 
devices; and said step (d) comprises the step whereby said 
counter devices separately perform decryption processing of 
said encrypted vote content by means of a decryption unit with 
which each of them is provided, using said distributed secret 
key, generating intermediate decrypted data, gathering it at one 
predetermined distributed counter device, and performing 
decryption processing to obtain sate vote content. 
{Claim 10} An electronic voting method as per Claim 8 and 9, 
wherein said decryption processing is thresholded decryption 
processing whereby decryption is possible when at least a 
predetermined number of two or more of said distributed 
counter devices is operating. 

{Claim 11} An electronic voting system with multiple voter 
devices, an administrator device connected to each of said voter 
devices via a named communication channel, and {sic} 
connected to each of said voter devices via an anonymous 
communication channel, wherein 
each said voter device comprises: 

an encryption device which encrypts the vote content with the 
public key of the counter device to generate encrypted vote 
content; 

a random number generating device which generates random 
numbers; 

a randomizing device which randomizes said encrypted vote 
content with an aforesaid random number to create preprocessed 
text; 

a means which transmits said preprocessed text to said 
administrator device; 

a random number component removing device which removes 
the effect of said random number from said administrator 
device's blind signature for said preprocessed text received from 
said administrator device to find the administrator signature of 
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said administrator device for said information containing 
encrypted vote content; 

and a means which, transmits said administrator signature and 
said information containing encrypted vote content to the 
counter device as vote data; 
said administrator device comprises: 

a blind signature generating device which generates a blind 
signature for said preprocessed text received; and 
a means which transmits said blind signature to voter devices; 
and said counter device comprises: 

a decryption device which decrypts said information containing 
encrypted vote content in said vote data by means of a secret 
key corresponding to said public key to obtain said vote content; 
and 

a counting device which counts up the votes for candidates 
based on said decrypted vote content. 

{Claim 12} An electronic voting system as per Claim 11, 
wherein said voter device additionally comprises an 
administrator signature verification device which verifies said 
administrator signature for said information containing 
encrypted vote content, and if the verification by the 
administrator signature verification device is successful, 
transmits said vote data to said counter device, and wherein said 
counter device comprises an administrator signature verification 
device which accepts as input said administrator signature and 
said information containing encrypted vote content in said vote 
data received from said voter device to verify said administrator 
signature. 

{Claim 13} An electronic voting system as per Claim 11, 
wherein said voter device additionally comprises a voter 
signature generating device which generates a voter signature 
for said preprocessed text and transmits its to said administrator 
device, and said administrator device comprises a voter 
signature verification device which verifies said preprocessed 
text received from each voter device and the voter signature 
thereof, and if that verification succeeds, generates said blind 
signature by means of said blind signature generating device. 
{Claim 14} An electronic voting system as per Claim 11, 
wherein said counter device comprises a vote list generating 
device which, if verification of said administrator signature is 
successful, generates a list of said vote data received from each 
said voter device as a vote list, and publishes it to make it 
accessible to said voter, and wherein said voter device 
comprises a vote list verification device which verifies whether 
or not one's own encrypted vote content is present in the vote 
list received from said counter device. 

{Claim 15} An electronic voting system as per Claim 14, 
wherein said voter device comprises a tag generating device 
which generates a tag known only to said voter, an associating 
device which associates said encrypted vote content and said tag 
to generate said information containing encrypted vote content, 
and a list verification unit which extracts said tag from each vote 
datum in said vote list and examines whether on not that tag is 
one's own in order to verify whether one's own vote data is 
contained in said vote list. 

{Claim 16} An electronic voting system as per Claim 11, 
wherein said counter device comprises multiple distributed 
counter devices connected in series, each administered by a 
different counter; said secret key is split up among said multiple 
distributed counter devices and assigned as a distributed secret 



Unexamined Patent Application Publication 2000-207483 

key to each of them; each said voter device transmits said vote 
data to a distributed counter device at one end of said series; and 
said distributed counter devices comprise decryption processing 
units which in series successively perform decryption 
processing of said information containing encrypted vote 
content using said distributed secret key which is assigned to 
each other them, and obtain said vote content by means of 
decryption processing by said decryption processing unit of said 
distributed counter device which is at the final stage. 
{Claim 17} An electronic voting system as per Claim 11, 
wherein said counter device comprises multiple distributed 
counter devices connected in series, each administered by a 
different counter; said secret key is split up among said multiple 
distributed counter devices and assigned as a distributed secret 
key to each of them; each said voter device transmits said vote 
data to all said distributed counter devices; said distributed 
counter devices each comprises a decryption processing unit, 
each of which separately performs decryption processing of said 
encrypted vote content using said distributed secret key, which 
is assigned to each of them, to generate intermediate decrypted 
data, and sends it to a predetermined one said distributed 
counter device; and said predetermined one said distributed 
counter device comprises a combination decryption unit which 
performs decryption processing of all gathered said intermediate 
decrypted data to obtain said vote content. 
{Claim 18} An electronic voting system as per Claim 16 or 17, 
wherein said decryption processing unit performs thresholded 
decryption processing whereby decryption is possible when at 
least a predetermined number of two or more of said distributed 
counter devices is operating. 

{Claim 19} In an electronic voting system which comprises 
multiple voter devices, an administrator device connected to 
each of said voter devices via a named communication channel, 
and a counter device connected to each of said voter devices via 
an anonymous communication channel, a voter device 
comprising: 

an encryption device which encrypts the vote content with the 
public key of the counter device to generate encrypted vote 
content; 

a random number generating device which generates random 
numbers; 

a randomizing device which randomizes information containing 
said encrypted vote content with an aforesaid random number to 
create preprocessed text; 

a voter signature generating device which generates a voter 
signature for said preprocessed text; 

a means which transmits said preprocessed text and its voter 
signature to the administrator device; 

a random number component removing device which accepts as 
input said random number and the administrator's blind 
signature for said preprocessed text received from said 
administrator device and removes the effect of said random 
number from said blind signature to find said administrator's 
signature for said information containing encrypted vote 
content; 

a signature verification device which accepts as input said 
administrator signature for said encrypted vote content and said 
information containing encrypted vote content and verifies said 
administrator signature; 

a means which transmits said administrator signature and said 
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information containing encrypted vote content to the counter 
device as vote data if the signature is successfully verified by 
the signature verification device; and 

a list verification device which verifies whether or not one's 
own vote data is present in the vote list received from said 
counter device. 

{Claim 20} A voter device as per Claim 19 which additionally 
comprises a tag generating device which generates a tag known 
only to said voter, and an associating device which associates 
said encrypted vote content with said tag to generate said 
information containing encrypted vote content, wherein said list 
verification part extracts said tag from each vote datum in said 
vote list received from said counter device and examines if that 
tag is one's own to verify that one's own vote data is present in 
said vote list. 

{Claim 21} In an electronic voting system which comprises 
multiple voter devices, an administrator device connected to 
each of said voter devices via a named communication channel, 
and a counter device connected to each of said voter devices via 
an anonymous communication channel, a counter device 
comprising: 

an administrator signature verification device which accepts as 
input information containing encrypted vote content encrypted 
with the public key of the counter and the administrator's 
signature for said information containing encrypted vote 
content, which are received as vote data from each said voter 
device, and verifies said administrator's signature; 
a vote list generating device which, if the verification of said 
administrator's signature is successful, generates a list of said 
vote data received from each said voter device and publishes it 
to make it accessible to said voters; 

a decryption device which decrypts said information containing 
encrypted vote content with the secret key corresponding to said 
public key to obtain the voters' vote content; and 
a counting device which counts up the votes for candidates 
based on said decrypted vote content. 

{Claim 22} A counter device as per Claim 21 which comprises 
multiple distributed counter devices connected in series, each 
administered by a different counter, wherein said secret key is 
split up among said multiple distributed counter devices and 
assigned as a distributed secret key to each of them; the vote 
data sent from each said voter device is received by a distributed 
counter device at one end of said series; said distributed counter 
devices each comprise a distributed decryption processing unit, 
which units in series successively perform decryption 
processing of said information containing encrypted vote 
content using said distributed secret key assigned to each of 
them; and said vote content is obtained by means of decryption 
processing by said distributed decryption processing unit in said 
distributed counter device which is at the final stage. 
{Claim 23} A counter device as per Claim 21 which comprises 
multiple distributed counter devices, each administered by a 
different counter, wherein said secret key is split up among said 
multiple distributed counter devices and assigned as a 
distributed secret key to each of them; each distributed counter 
device receives said vote data from all said voter devices and 
comprises a distributed decryption processing unit, each of 
which performs decryption processing of said encrypted vote 
content using said assigned distributed secret key to generated 
intermediate decrypted data, and sends it to a predetermined one 
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said distributed counter device; and said predetermined one said 
distributed counter device comprises a combination decryption 
unit which performs decryption processing of all gathered said 
intermediate decrypted data to obtain said vote content. 
{Claim 24} A counter device as per Claim 22 or 23, wherein 
said distributed decryption processing unit performs thresholded 
decryption processing whereby decryption is possible when at 
least a predetermined number of two or more of said distributed 
counter devices is operating. 

{Claim 25} A recording medium which records a program 
whereby a computer executes the processing procedure of a 
voter device in an electronic voting system which comprises 
multiple voter devices, an administrator device connected to 
each of said voter devices via a named communication channel, 
and a counter device connected to each of said voter devices via 
an anonymous communication channel, wherein said processing 
procedure comprises the following steps: 

(a) encrypting the vote content with the public key of a counter 
device to generate encrypted vote content; 

(b) generating a random number; 

(c) randomizing information containing said encrypted vote 
content with said random number to generate a preprocessed 
text; 

(d) generating a signature for said preprocessed text; 

(e) transrnitting said preprocessed text and its signature to an 
election administrator device; 

(f) removing the effect of said random number from said 
administrator's blind signature for said preprocessed text 
received from the election administrator device using said 
random number to determine said administrator's signature for 
said information containing encrypted vote content; 

(g) verifying the authenticity of said information containing 
encrypted vote content; 

(h) if said verification of authenticity is successful, transmitting 
said information containing encrypted vote content and said 
administrator's signature as vote data to the counter device; and 

(i) verifying that one's own vote data is present in the vote list 
received from said counter device. 

{Claim 26} A recording medium as per Claim 25, wherein the 
processing procedure additionally comprises the step of 
generating a tag known only to said voter, and a step of 
associating said encrypted vote content and said tag to generate 
said information containing encrypted vote content, wherein 
said step (i) comprises the step of extracting said tag from each 
vote datum in said vote list received from said counter device 
and examining if that tag is one's own to verify whether one's 
own vote data is present in said vote list. 

{Claim 27} A recording medium which records a program 
whereby a computer executes the processing procedure of a, 
counter device in an electronic voting system which comprises 
multiple voter devices, an administrator device connected to 
each of said voter devices via a named communication channel, 
and a counter device connected to each of said voter devices via 
an anonymous communication channel, wherein said processing 
procedure comprises the following steps: 

(a) accepting as input the information containing encrypted vote 
content encrypted with the counter's public key and the 
adrninistrator signature for said information containing 
encrypted vote content, which are received as vote data from 
each said . voter device, and verifying said administrator 
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signature; 

(b) if verification of said administrator signature is successful, 
generating a list of said vote data received from each said voter 
device as a vote list and publishing that vote list to make it 
accessible to the voters; 

(c) decrypting said information containing encrypted vote 
content using the secret key corresponding to said public key to 
obtain the voters' vote content; and 

(d) counting up the votes for candidates based on said decrypted 
vote content. 

{Claim 28} A recording medium as per Claim 27, wherein said 
counter device comprises multiple distributed counter devices 
connected in series, each administered by a different counter; 
said secret key is split up among said multiple distributed 
counter devices and assigned as a distributed secret key to each 
of them; said step (c) comprises the step of receiving said vote 
data sent from each said voter device by a distributed counter 
device at one end of said series and in series successively 
performing distributed decryption processing of said 
information containing encrypted vote content using said 
assigned distributed secret key, with said vote content being 
obtained by means of distributed decryption processing by said 
distributed decryption processing unit in said distributed counter 
device which is at the final stage. 

{Claim 29} A recording medium as per Claim 27, wherein said 
counter device comprises multiple distributed counter devices 
connected in series, each administered by a different counter; 
said secret key is split up among said multiple distributed 
counter devices and assigned as a distributed secret key to each 
of them; and said step (c) comprises the step of receiving said 
vote data from all said voter devices at each distributed counter 
device, performing decryption processing of said encrypted vote 
content using said assigned distributed secret key to generate 
intermediate decrypted data, and sending it to a predetermined 
one said distributed counter device, whereby said one 
predetermined said distributed counter device performs 
combination decryption processing of all gathered said 
intermediate decrypted data to obtain said vote content. 
{Claim 30} A recording medium as per Claim 28 or 29, wherein 
said step (c) performs thresholded distributed decryption 
processing whereby decryption is possible when at least a 
predetermined number Of two or more of said distributed 
counter devices is operating. 
{Detailed description of the invention} 
{0001} 

{Technical field of the invention} This invention relates to 
electronic voting systems, voting methods and program 
recording media intended to implement secure anonymous 
voting in cases of conducting questionnaires and the like via an 
electronic communication system. 
{0002} 

{Prior art} Voting is a process whereby each voter selects a 
predetermined number (one or more) of candidates from among 
multiple candidates presented to all the eligible voters and 
provides the results of that selection to a counter, who counts up 
the number of votes for each candidate. The candidates may be 
not only the names of candidates in a political election, but also 
choices in a statistical survey. Furthermore, the vote content is 
identifying information, symbols, names, items, etc. which 
represent the candidates selected by a voter. 
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{0003} Anonymous voting allows the correspondence between 
voter and vote content to be kept secret and is suited for 
protecting privacy with respect to an individual's ideas and 
beliefs, and thus can be used in electronic conferences, surveys 
conducted via duplex communication such as CATV, and so 
forth. 

{0004} In order to conduct secure anonymous voting via 
electronic communication, it is necessary to prevent voter 
impersonation, duplicate votes, leaking of vote content or the 
like due to vote content eavesdropping, etc. Electronic voting 
schemes using digital signatures have been proposed as method 
of solving these problems, and are presented for instance in 
Atsushi Fujioka, Tatsuaki Okamoto, Kazuo Ohta: "A practical 
secret voting scheme for large scale elections", in Advances in 
Cryptology-AUSCRYPT '92, Lecture Notes in computer 
Science 718, Springer-Verlag, Berlin, pp. 244-251 (1993) and 
Japanese Patent Application Publication 6-19943 (published 28 
November 1994) "Electronic voting method and apparatus". 
{0005} In this prior art method, the voter Vj encrypts the vote 
content Vj with a key kj to create an encrypted text Xj; as 
preprocessing to obtain a blind signature therefore, xi is 
randomized with a random number r { to generate a preprocessed 
text ej; the voter's signature s { is appended to the preprocessed 
text ej and it is transmitted to an election administrator A. The 
election administrator A, after authenticating the legitimacy of 
the voter Vj based on the signature Sj, appends a the election 
administrator's blind signature d s to the preprocessed text ej and 
returns it to the voter. Hie voter Vj obtains the signature yj of the 
election administrator A for the encrypted text Xj from the blind 
signature dj for the preprocessed text ej, and transmits it together 
with the encrypted text Xj to a counter C. The counter C 
confirms that the encrypted text ^ has been signed by the 
election administrator A and publishes a summary containing 
the encrypted text x,- as is. The voter Vj, if his own encrypted 
text Xj has been recorded, sends the key kj used to encrypt the 
vote content vj to the counter C, and if it has not been recorded, 
files an objection with the counter C. Jhe counter C uses the key 
k { received from the voter to decrypt the vote content Vj from the 
encrypted text Xj and counts it. 
{0006} 

{Problem to be solved by the invention} However, with this 
method, the voter Vj needs to confirm that his own encrypted 
text Xj was recorded from the vote summary published after the 
voting deadline and transmit the key kj to the counter C, i.e., it is 
a system with low voter convenience. 

{0007} The purpose of this invention is to provide a convenient 
electronic voting system and method which allows objections to 
be filed without infringing on privacy and makes it possible to 
handle counter improprieties and malfunctions and which does 
not require the voter to send the key used for encryption to the 
counter after voting. 

{0008} . 
{Means of solving the problem} In this invention, a voter 
encrypts the vote content with the public key of a counter, 
further randomizes that encrypted vote content with a random 
number to generate preprocessed text, attaches a signature to 
that preprocessed text and transmits it to an election 
administrator. The election administrator, after authenticating 
the legitimacy of the voter using the attached signature, makes a 
blind signature to the preprocessed text and returns the blind 
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signature for the preprocessed text to each voter. The voter 
removes the effect of the random number from the blind 
signature for the preprocessed text to find the election 
administrator's signature information for the encrypted vote 
content, and transmits it together with the 
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encrypted vote content as vote data to the counter. The counter, 
after confirming that the signature information for the received 
encrypted vote content has been signed by the election 
administrator, publishes the vote data. After each voter has 
confirmed that his own encrypted vote content has been 
recorded in the published vote data list, the counter uses a secret 
key kept by him to extract the vote content from the encrypted 
vote content, and counts it up. If the encrypted vote content was 
not recorded in the vote list, an objection is filed against the 
counter. Furthermore, there may also be multiple counters, each 
holding a portion of the decryption key, whereby all the vote 
content is extracted from encrypted vote content by the 
cooperation of all or a specified number of counters. 
{0009} According to this invention, in the encrypted vote 
content, the vote content is randomized with a random number, 
so the election administrator and counter cannot find the vote 
content from the randomized vote content, making it possible to 
ensure anonymity of the vote. 

{0010} Here, the decryption key is held by the counter, and the 
voter does not need to again communicate with the counter for 
the purpose of opening the ballot. 

{0011} If there are multiple counters, when vote content is 
opened through their cooperation, the fact that one is a 
legitimate voter can be indicated upon filing an objection simply 
by sending the encrypted vote content and the election 
administrator's signature. That is, even if a fraudulent person is 
present among the multiple counters, the vote content cannot be 
known unless all or a specified number of counters cooperate. 
{0012} Furthermore, since encrypted vote content goes to 
distributed counters, here as well, unless all or a specified 
number of them cooperate, the midway progress of voting 
cannot be found out while voting is still going on, making for a 
fair voting scheme. 

{0013} Moreover, in cases whether opening of votes is possible 
by the cooperation not of all but of a specified number of 
counters, even if some of the counters should be fraudulent or 
become unable to cooperate in opening votes, the vote opening 
operation can be properly carried out, so this scheme can be said 
to provide for a highly fault tolerant system 
{0014} 

{Modes of embodiment, of the invention} In the following 
embodiment examples, cases are described where this invention 
is applied to voting in a political election as an example of 
voting, but as discussed above, the voting principle envisioned 
by this invention can also be applied as is to voting in statistical 
surveys. 

Embodiment example No. 1 

Figure 1 is a drawing which shows the overall constitution of 
the voting system according to this invention. The devices 100 
of T voters Vj (i=l, •■• T) (called voter devices) are connected to 
the device 200 of the election administrator A (called election 
administrator device) and the device 300 of the counter C 
(called counter device) via named communication channels 400 
and anonymous communication channels 500, respectively. 
When a voter Vj transmits information via a named 
communication channel 400 to the election administrator A, 
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sender information indicating who the sender is, for example a 
name Vj or identification information IDj, is appended to the 
information transmitted, while when transmitting information 
via an anonymous communication channel to the counter C, 
sender information is not appended to the information 
transmitted. Furthermore, the counter C publishes a summary of 
vote content (vote list and polling score list), which the voters 
are all able to access. Figure 3 shows an example of the 
constitution of the voter device 100 in the voting system of 
Figure 1, Figure 4 shows an example of the constitution of an 
election administrator device 200, Figure 5 shows an example of 
the constitution of a counter device 300, and Figure 6 shows an 
example of the communication sequence in the voting system of 
this invention. Furthermore, Figure 2A illustrates an eligible 
voter list 240A possessed by the election administrator A, 
Figure 2B — a list of voters 240B given approval to vote, 
Figure 2C — a vote list 320A prepared by the counter C after 
the casting but before the counting of votes, Figure 2D — an 
example of a vote list 320A after counting, and Figure 2E — a 
polling score list 320B. 

{0015} Below, the case is described wherein a voter V;, after 
obtaining approval to vote from the election administrator A, 
performs the voting procedure with respect to the counter C. 
{0016} The notation used in the following description is 
summarized here. 

{0017} x = £c( v >kpc): the encryption function of counter C (x: 
encrypted text, v: vote content, k PC : the counter's public key) 
V = p c (x, k S c): the decryption function of counter C (ksc* the 
counter's secret key) 

s = Oj(e): the signature generating function of voter Vj (s: 
signature, e: encrypted vote content) 

e = £(s): the verification function for the signature of voter Vj 
d = c A (e): the blind signature generating function of the election 
administrator A (d: blind signature) 

z = OXy)* the verification function for the signature of the 

election administrator A (y: signature, z: ballot) 

e = co A (z, r): randomization function (r: random number) 

y = 5 A (d, r): random number component elimination function (d: 

blind signature) 

Here, the encryption function and the decryption function pc 
of the counter C are ones used in well known public key 
cryptosystems; the counter C keeps the secret key k sc secret and 
publishes the public key k PC to the voters. Furthermore, the 
randomization function co A (z, r) for blinding (preprocessing for 
blind signing) with random number r the message m to be 
signed when the voter requests a blind signature, and the 
random number component elimination function 5 A (d, r) which 
removes the random number component r from the received 
blind signature d to extract the signature y of the election 
administrator A for the ballot z, are necessarily determined by 
the blind signature function a A used by the election 
administrator A. Such signature functions include for instance 
RSA cryptography encryption functions and decryption 
functions (Ronald Rivest, Adi Shamir, Leonard Adleman: "A 
method for obtaining digital 
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signatures and public-key cryptosystems", Communications of 
the ACM, vol. 21, No. 2, pp. 120-126 (Feb., 1978)), and details 
regarding techniques of randomization with random numbers as 
preprocessing for requesting a blind signature are described in 
David Chaum: "Security without identification: Transaction 
systems to make big brother obsolete", Communications of the 
ACM, Vol. 28, No. 10, pp. 1030-1044 (Oct., 1985). 
{0018} The voter device 100 shown in Figure 3 is constituted as 
follows. A memory 121 stores in advance the voter's 
identification information IDj and name V { . Furthermore, data 
which is generated in the device 100 and used in subsequent 
processing is also stored in the memory 121. The encryption 
device 1 10 encrypts the vote content Vj selected by the voter Vj 
(here, for instance, candidate name CNDj) with the public key 
kpc of the counter C and obtains an encrypted text Xj = £ c ( v ii 
kpc). The tag generating device 1 1 1 generates a random number 
t{, which is used as a tag known only to voter V is as described 
below. The associating device 112 associates the encrypted text 
xj and the tag t { and outputs z { = Xj || tj. Hereinafter, Zj will be 
called a ballot. The random number generating device 120 
generates a random number r,-. The randomization device 130 
randomizes the ballot Z\ with random number r { by means of a 
randomization function e = co A (z, r) as preprocessing for blind 
signing and generates a preprocessed text ej. The signature 
generating device 140 generates a signature Sj = Ojfo, IDj) for 
the preprocessed text ej to indicate that it belongs to the voter Vj. 
The data <ej, Sj, IDi> is transmitted from the transmission and 
reception unit 190 via a communication line 400 to the election 
administrator device 200. The connection with the election 
administrator device 200 via the communication line 400 is 
maintained until a blind signature dj is received from the 
election administrator device 200. 

{0019} The random number component elimination device 150 
removes the random number component from the blind 
signature dj received via the transmission and reception unit 190 
from the election administrator device 200 by means of the 
random number component elimination function yj = 8 A (dj, Tj) 
using the random number r i5 and obtains y- } as the signature of 
the election administrator A for the ballot Z\. The signature 
verification unit 160 examines whether or not the verification 
function zj = WyO holds true to verify if y { is authentic. The 
data <Zj, yj> is transmitted from the transmission and reception 
unit 180 to the counter device 300. The list inspection part 170 
accesses the counter device 300 and inspects the vote list 320A 
obtained via the transmission and reception unit 1 80. 
{0020} The election administrator device 200 shown in Figure 4 
has a memory 240 for recording an eligible voter list 240 A 
(Figure 2A) with identification information IDj of eligible voters 
prerecorded therein, and a voter list 240B (Figure 2B) in which 
identifications IDj of voters who have been given approval to 
vote are written; a voter verification unit 210 which checks 
whether identification information IDj received from a voter is 
on the eligible voter list; a signature verification unit 220 which 
verifies the correctness of a voter's signature s } for the voter's 
preprocessed text e s received based whether or not the 
verification function c t = ^ (Sj) holds true; a voter list generation 
unit 260 which writes legitimate voters into a specific region of 
memory 240 to generate a voter list; a signature generating 
device 230 which generates a blind signature dj = a A (ei) for the 
preprocessed text e { ; and a transmission and reception unit 250 
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which performs transmission and reception of data to and from 
voter devices. 

{0021} The counter device 300, as shown in Figure 5, has a 
signature verification unit 310 which verifies the signature y { by 
checking whether of not %\ = 0v(yi) holds true using the 
verification function £a( v 0 on the ballot Z\ and the signature yj of 
the election administrator A in the vote data <Zj, yj> received via 
the transmission and reception unit 360 from a voter device 100; 
a memory 320 which stores the vote list 320A (Figure 2C) with 
a serial number qj affixed to the vote data <Zj, y { > by the vote list 
generating unit 370 added thereto; a separation unit 350 which 
separates the encrypted text Xj from the ballot Zj = Xj || t\\ a 
decryption device 330 which decrypts Xj by means of the 
decryption function p c using the counter's secret key k S c to 
obtain vj = pc(xj, k S c) as the vote content; and a counting device 
340 which counts up the vote content Vj. Furthermore, decrypted 
vote content v { is added to the vote data corresponding to serial 
number q of the vote list 320A stored in memory 320, as shown 
in Figure 2D. The count results are stored in memory 320 as a 
polling score list 320B of the number of votes C#h (h = 1, 2, ...) 
obtained by each candidate (CND h ; h = 1, 2, ...), as shown in 
Figure 2E. The content of the vote list 320A and polling score 
list 320B are transmitted to voter device 100 making access 
through the transmission and reception unit 380. 
{0022} Below, the voting procedure in this embodiment 
example No. 1 is described with reference to Figure 6. 
Step SI: A voter Vj performs preparation for voting using the 
voter device 100 (Figure 3) as follows. 

{0023} Step Sl-1: The voter Vj encrypts the vote content Vj with 
the encryption device 1 10 using the secret key k PC of the counter 
C and the encryption function £ c to generate encrypted text 
^ = £c(Vi, k PC ). 

Furthermore, he generates a tag tj using the tag generating 
device 1 1 1 and associates it with Xj using the associating device 
112 to obtain a ballot 

Zj - Xj || tj. 

The tag tj is for instance a random number, and only the voter Vj 
knows that it is his. 

{0024} Step SI -2: The voter Vj generates a random number T\ 
using the random number generating device 120 and randomizes 
Zj with rj using the randomization device 130 to generate 
preprocessed text 
ej = co A (zi, n). 

{0025} Step SI -3: The voter Vj uses the signature generating 
device 140 to generate a signature 
sj = Oifc, IDi) 

for the preprocessed text ej and the identification information 
IDj, and transmits the data <ej, s is IDj> from the transmission 
and reception unit 190 to the election administrator device 200. 
Step S2: The election administrator device 200 (Figure 4) 
possesses in advance the relationships between registered 
eligible voter names Vj and their identification information IDj, 
as shown in Figure 2 A, in the form of an eligible voter list 240A 
(Figure 2A), and also has a voter list 240B (Figure 2B) for 
writing in, by means of the voter list generating unit 260, the 
name Vj or identification information IDj of eligible voters 
given approval to vote. The voter list is published after 
acceptance of votes is completed; if it is permissible to publish 
the names Vj of approved voters, the voter name Vj is written in, 
while if it is being avoided that the names of voters should 
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become known, the identification information IDj is written in. 
One of these is decided upon for the voting -system. In the 
description below, the identification information IDj of the voter 
Vj will be written in the voter list 240B (Figure 2B). Upon 
commencement of vote acceptance, there is nothing recorded in 
the voter list. The approval procedure by the election 
administrator device 200 is carried out as follows. 
{0026} Step S2-1: The election administrator A confirms that a 
voter is an eligible voter by checking if his identification 
information IDj is present in the eligible voter list 240A (Figure 
2 A) by means of the voting eligibility confirmation unit 210. If 
it is not, the election administrator A denies the approval. 
{0027} Step S2-2: The election administrator A checks whether 
the voter Vj has previously received approval from the election 
administrator A by examining if his IDj has already been entered 
in the voter list 240B (Figure 2B) by means of the vote 
eligibility confirmation unit 210. If the IDj has already been 
given approval, the election administrator A denies approval as 
a case of duplicate voting. 

{0028} Step S2-3: If IDj has not been entered previously, the 
election administrator verifies that Sj, e s and IDj satisfy the 
following formula 
(e is IDO = Ci(Si) 

using the signature verification device 220. If verification is 
successful, the election administrator A computes, via the 
signature generating device 230, the signature d { 
di = o A (ei) } 

transmits dj from the transmission and reception unit 250 to the 
voter device 100, and adds the IDj of voter Vj to the voter list 
240B (Figure 2B) in memory 240 by means of the voter list 
generating unit 260. 

{0029} Step S2-4: After acceptance of votes has ended, the 
election administrator A publishes the voter list 240B and the 
number of voters. As for the method of publication, notice is 
given in advance to eligible voters that the voter list 240B in the 
memory 240 of the election administrator device 200 can be 
accessed via arbitrary communication channels within a 
specified period of time from a specific date. The method of 
access to this list can be implemented for instance by means of a 
predetermined telephone number. The place of publication of 
voter list 240B may also be a predetermined internet address, 
rather than inside the election administrator device 200. 
Step S3: The voter Vj generates the ballot and corresponding 
signature information using the voter device 100 (Figure 3) as 
follows. 

{0030} Step S3-1: The voter Vj inputs dj and r$ into the random 
number component elimination device 150 to obtain the 
signature information yj for the ballot Zj 
yj = 5 A (dj, r;) 

{0031} Step S3-2: The voter Vj uses the signature verification 
device 160 to confirm that yj is the signature of the election 
administrator A based on whether or not 
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Zi = Wyi) 

holds true. If it does not, the voter Vj Claims impropriety on the 
part of the election administrator A by presenting the data <ej, 
dj>. 

{0032} Step S3-3: If said signature confirmation succeeds, the 
voter Vj transmits the data <z { , yj> from the transmission and 
reception unit 180 to the counter device 300 via communication 
channel 500. 

Step S4: The counter C collects votes using the counter device 
300 as follows. 

{0033} Step S4-1: The counter C receives vote data <zj, y { > 
from voters, via reception unit 360 and uses the signature 
verification device 310 to confirm that yj is an authentic 
signature for the ballot Zj by verifying whether or not 

Zi = WyO 

holds true. If the verification succeeds, the ballot Zj and its 
signature yj are numbered with a serial number q and entered as 
vote data <q, z { , yj> into the voter list 230A (Figure 2C) by 
means of the vote list generating unit 370. 
{0034} Step S4-2: After all votes have been cast, the counter C 
publishes a vote list 320A by enabling access to the memory 
320 via the transmission and reception unit 380. This vote list is 
made accessible to all voters. For the publication method, 
advance notice is given of the publication period and publication 
location, just as in the case of voter list 240B discussed above. 
Step S5: The voter Vj performs verification using the voter 
device 100 as follows. 

{0035} Steps S5-1: The voter Vj accesses the memory 320 of 
die counter device 300 by means of the transmission and 
reception unit 180, receives the content of the voter list 320A 
and verifies that the number of votes listed in the voter list 320A 
is equal to the voter list published in Step 2-4 by means of the 
list verification device 170. If it does not match, number q and 
random number r is published, and a claim of impropriety is 
filed with the election administrator A. 

{0036} Steps S5-2: Voter Vi verifies that his own ballot Zj has 
been published in the voter list 3 20 A by means of the list 
verification device 170. For the verification, one may verify 
whether Zj itself is present in the list, or verify that the tag tj in Zj 
= Xj || tj is one's own. If it has not been published, a claim of 
impropriety on the part of the counter C is made by presenting 
the vote data <Zj, Vj>. 

Step S6: The counter C opens and counts votes by means of the 
counter device 300 as follows. 

{0037} Step S6-1: After commencement of reception of ballots 
Zj and signatures yj from voters Vj using the reception unit 360, 
if there are no notices of aforesaid impropriety within a specific 
period of time, the counter C separates Xj the ballot Zj = Xj || tj 
with the separation unit 350, opens the ballot with the 
decryption device 330, uses the secret key k S c to determine the 
vote content v { based on 
Vi = p c (Xj, k sc ), 
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and verifies that the vote content Vj is a correct vote, i.e. that the 
vote content Vj comprises names or symbols representing 
candidates presented, in advance. If not, it is considered to be an 
invalid vote. 

{0038} Step S6-2: The counter C counts up the vote content v { 
in the voter list of Figure 2C using the counting device 340, 
obtains the number of votes cast for each candidate, publishes 
the result as a polling score table 320B shown in Figure 2E, and 
adds v.- for the qth vote datum <Xj, t i} yi> as shown in Figure 2D. 
The count results are appended to the vote list 320A and 
published. 

Step S7: The voter V,- confirms that the operations of the counter 
C are correct by means of the voter device 100. That is, he 
confirms if all of v { has been added to the voter list 320A shown 
in Figure 2C and if it corresponds to Xj and v { of the voter Vj. 
{0039} The aforementioned step S5 may be omitted. 
Furthermore, the publication of the polling score list in step S6- 
2, as well as step S7, may also be omitted. 
{0040} In the embodiment described above, the voter Vj 
encrypts the vote content Vj using the encryption function £ c of 
the counter C as Xj - ^c(vi,k PC ) and sends the vote data <z {i y { > 
to the counter C, so the counter C, if he so intends, can decrypt 
xj in Zjby means of the decryption function v» = p c (xi, k^) using 
the counter's secret key k PC to obtain Vj before the vote list is 
published in Step 4-2. That is, he can obtain information such as 
the voting trend or the midway results without waiting for 
publication of the vote list and leak that information to 
particular persons before the official count results come out, 
which is undesirable with respect to the fairness of an election. 
Furthermore, in embodiment example No. 1, if the counter 
device 300 breaks down, it may riot be possible to complete vote 
counting on schedule. Below, an embodiment example is 
described which improves these points by decrypting and 
counting the encrypted vote content with multiple counter 
devices administered by multiple counters. 
{0041} Here, the cryptographic functions (encryption function 
£c and decryption function p c ) of the distributed counters are 
used by means of a public key cryptography scheme, with 
decryption of the encrypted text becoming possible only when 
decryption processing for each encrypted text Xj has been 
performed with the distributed decryption keys k SCi held by all 
the distributed counters, or else there is a threshold U t (2 < U t < 
U) for the number of persons required for decryption, with 
decryption being possible when the specified number of 
threshold distributed counters comes together. Such 
cryptographic functions include for example the encryption and 
decryption functions of ElGamal cryptography (Taher ElGamal: 
"A public key cryptosystem and a signature scheme based on 
discrete logarithms", IEEE Transactions on Information Theory, 
Vol. IT-31, No. 4, pp. 469-472 (July, 1985)); details on 
techniques of decryption by distributed decryptors and 
techniques employing a threshold are described in Yvo 
. Desmedt, Yale Frankel: "Threshold cryptosystems" in Advances 
in Cryptology-CRYPTO '89, Lecture Notes in Computer 
Science 435, Springer-Verlag, Berlin, pp. 307-315 (1990). 
Embodiment example No. 2 

Figure 7 shows the overall constitution of a voting system 
according to embodiment example No. 2. In this embodiment 
example, the point that the voter devices 100 are each connected 
to an election administrator device 200 via a communication 
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channels 400 and are each connected to one counter device via a 
communication line 500 is the same as in embodiment example 
No. 1; the point of difference in constitution is that multiple 
counter devices 300j (j = 1, U; hereinafter called distributed 
counter devices) are provided, whereby the distributed counter 
device 300| performs decryption processing of the encrypted 
text xj from all voters to generate x n , which is sent to the next 
distributed counter device 300 2 , with the jth distributed counter 
device 300j similarly performing decryption processing of the 
decryption processed data Xy.|, received from the immediately 
preceding distributed counter device 300j_i to generate xy, and 
sending it to the next distributed counter device 300j+|. The vote 
content vj is first obtained through decryption processing by the 
final distributed counter device 300u. Just as in embodiment 
example No. 1, when a voter device 100j sends data to the 
administrator device 200 via communication channel 400, the 
identification information IDj of the voter Vj is appended 
thereto, while no identification information IDj is appended 
when sending data to the distributed counter device 300) via 
communication channel 500. 

{0042} Except for the fact that the counter device 300 is made 
into distributed counter devices 300, the communication 
sequence example, the example of the constitution of each voter 
device 100 is the example of the constitution of the election 
administrator device 200, etc. are the same as before. 
Furthermore, the point that each voter uses a common public 
key k PC to encrypt the vote content Vj by means of Xj = C(vj, k PC ) 
is the same as in embodiment example No. 1; however, each of 
the counters C| to Qj has a distributed secret key k S ci, k S c2, 
kscu> a U number of which are generated from the secret key 
k sc , which are used to perfoirn decryption processing, and the 
vote content v { cannot be decrypted from the encrypted text Xj 
by any counter device 300j alone. When the aforementioned 
ElGamal cryptography is used as the cryptosystem, such 
distributed secret keys k sci , k SC2 , k scu can for instance be 
determined such that the sum of the values of these keys will be 
equal to the value of the secret key k sc corresponding to the 
public key k PC , as indicated in the aforementioned document of 
Desmedt-Frankel. 

{0043} Figure 8 A shows the constitution of the first distributed 
counter device 300j which gathers votes from the voter devices 
1 00 j to 100 T and which comprises a signature verification unit 
310, a memory 320, a counting device 340, a separation unit 
350, a distributed decryption processing unit 331, reception unit 
360, a vote list generating unit 370 and a transmission and 
reception unit 380. It differs from the counter device 300 of 
embodiment example No. 1 shown in Figure 5 in the following 
respects. First, decryption processing x n = Pci(Xi, k sa ) using 
distributed secret key k S ci is performed on encrypted text Xj in 
the distributed decryption processing unit 331 to generate 
intermediate decrypted data xn, which is sent to the next 
distributed counter device 300 2 . Second, the counting device 
receives decrypted vote content v { from the final distributed 
counter device 300u and counts it. The 2 nd through the Uth 
distributed counter devices 300 2 to 300u, as shown in Figure 8B 
represented by the jth distributed counter device (2 < j < U), 
only have a distributed decryption processing unit 331, 
performing decryption processing Xy- = Pci(*ij-i, ksa) using the 
distributed secret key k S cj on the intermediate decrypted data Xy_ 
! received from the preceding distributed counter device 300j.i to 
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generate intermediate decrypted data Xy, which is transmitted to 
the following distributed counter device 300j +1 . However, at the 
final distributed counter device 300u, can be obtained as the 
final decryption result, which is the vote content Vj = xju, by 
means of decryption processing xnj = Pcu( x iiM> k SC u), and t ^ iat 
vote content v { is transmitted to the first distributed counter 
device 300|. 

{0044} The voting procedure in this embodiment example No. 2 
will be described. In this embodiment example, the same 
procedure is performed as the procedure from step SI to Step S5 
in embodiment example No. 1. However, the vote data <Zj, Vj> 
from each voter device 100j is received by the first distributed 
counter device 300j. In this embodiment example No. 2, steps 
S6 and S7 of embodiment example No. 1 are modified as 
follows, U being the number of distributed counter devices. 
Step S6: Distributed counter Cj (j = 1, U) performs counting 
by means of distributed counter device 300j as follows. 
{0045} Step S6-1: The first distributed counter device 300 l 
separates Z\ = \\ \\ t\ in the vote data <Zi, y,-> from each voter 
device 100j (i = 1, T) into encrypted text Xj and tag tj with 
the separation unit 350, performs the following decryption 
processing 
Xji = p C i(Xi, k SC) ) 

by means of the distributed decryption processing unit 330 using 
the distributed secret key k S ci> obtains intermediate decrypted 
data Xji and sends it to the next, 2nd distributed counter device 
300 2 . 

{0046} Thereafter similarly, the jth distributed counter device 
300j performs decryption processing 

x ij = Pcj(xi, kscj-i) on intermediate decrypted data x^ from the 
(j-l)th distributed counter device 300^ by means of the 
distributed decryption processing unit 330 using the distributed 
secret key k SC j, and sends the obtained intermediate decrypted 
data Xy to the next, G*+l)th distributed counter device 300j +1 . 
{0047} The final Uth distributed counter device 300u performs 
decryption processing 

V| = xju = Pcu(Xi, k S cu) on the intermediate decrypted data x,ui 
from the (U-l)th distributed counter device by means of the 
distributed decryption processing unit 330 using the distributed 
secret key k SC u to obtain the vote content Vj. The Uth distributed 
counter device 300u verifies whether or not the obtained vote 
content is invalid. 

{0048} Step S6-2: The Uth distributed counter C v counts the 
vote content v,- using the counting device 340, publishes the 
results thereof, and adds the vote content vj to the vote list. 
Step 7: The voter V; confirms that the operation of the 
distributed counter device 300y is correct by means of the voter 
device 100;. 

{0049} In this way, in embodiment example No. 2, since 
decryption processing is performed sequentially by multiple 
distributed counter devices 300; to 300u and the vote content Vj 
is obtained at the final distributed counter device 300u, no 
distributed counter alone can open votes and obtain v { before the 
start of counting. 
Embodiment example No. 3 

Figure 9 shows the overall constitution of the voting system of 
embodiment example No. 3. In this embodiment example, each 
voter device 100j (i = 1, T) is able to connect via 
communication lines 500 to all of the distributed counter 
devices 300) to 300u, and sends the generated vote data <zj, y{> 
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to all the distributed counter devices 300 1 to 300^ The 
constitution of each voter device 100j and of the election 
administrator device 200 is the same as in embodiment 
examples No. 1 and No. 2. 

{0050} the constitution of the 1 st to the (U-l)th distributed 
counter device 300,- to 300^, as shown in Figure 10A 
represented by the jth distributed counter device 300j, comprises 
a signature verification unit 310 which performs verification of 
the signature yj for Zj in the vote data received from each voter 
device 100j, a separation unit 350 which separates the encrypted 
text Xj from Zj, and a distributed decryption processing unit 33 1 
which performs decryption processing Xy = p Cj (Xj, k SC j) using 
distributed decryption key k SC j on the encrypted text to 
generated intermediate decrypted data Xy, which is transmitted 
to a predetermined distributed counter device, in this example 
300u. Distributed counter device 300u, as shown in Figure 10B, 
is constituted by adding a memory 320; combination decryption 
unit 332; counting device 340; a vote list generating unit 370 
which appends a serial number q to each vote datum <Zj, y { > 
collected from preceding distributed counter devices 300], ... , 
300u and enters it into the vote list 320A; and a transmission 
and reception unit 380 which communicates with the voter 
device 100 to make the vote list 320A and polling score list 
320B accessible. In the memory 331, a vote list 320A which 
lists the received vote data and a polling score list 320B for each 
candidate representing the results of counting are formed. The 
combination decryption unit 332 performs decryption 
processing Vj = pc(xn, X;u) by means of decryption function 
p c on intermediate decrypted data x n to x.-y generated by 
distributed counter devices 300i to 300u to obtain vote content 
Vj, and supplies it to the counting device 340. The counting 
device 340 verifies the validity of the vote content V;, and if it is 
valid, adds 1 to the polling score of the corresponding 
candidates in the polling score list generated in memory 320. 
Furthermore, it adds Vj to the corresponding vote data in the vote 
list. 

{0051} In this embodiment example No. 3 as well, each 
distributed counter device cannot by itself decrypt the vote 
content vj from the encrypted text x i? thus ensuring fairness of 
the election. 

Modified embodiment example 1 

In embodiment examples No. 2 and No. 3, the vote content Vj 
cannot be decrypted from the encrypted text x { unless all the 
distributed counters C) to Cu cooperate. However, for instance 
by forming the distributed decryption processing unit 331 
according to the method of Desmedt-Frankel discussed above, it 
is possible to decrypt v { from encrypted text Xj encrypted using 
public key kc with at least L (2 < L < U-l) distributed counter 
devices. An embodiment example applying this method to 
embodiment example No. 2 (Figures 7, 8A and 8B) will be 
described. 

{0052} For instance, even if one of the distributed counter 
devices 300 2 to 300u, say, 300j, break downs, the immediately 
preceding distributed counter device 300j_, avoids distributed 
counter device 300j and sends intermediate decrypted data xy_i 
to distributed counter device 300j +] . Distributed counter device 
300j+i uses distributed secret key k S cj+i on the intermediate 
decrypted data Xjj.j according to x ij+2 =' Pc(xi, k S q+i) to obtain 
intermediate decrypted data Xy+j, and can then just pass it on 
further to the following distributed counter device 300j +2 . The 
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method of generating the distributed secret key used in this case 
is indicated for instance in the aforementioned document by 
Desmedt-Frankel. Furthermore, if the constitution of all the 
distributed counter devices 300) to 300u is made as the 
constitution shown in Figure 8 A, even if the first distributed 
counter device 300i should break down, the next stage 
distributed counter device 3O0 2 can receive vote data <Zj, y { > 
from voter devices 100 1 to 100 T instead of it, substituting in 
performing the functions of distributed counter device 300i. It 
then suffices for the last stage distributed counter device 300u to 
transmit the vote content vj obtained through decryption 
processing to the substitute distributed counter device 300 2 . 
• According to this embodiment example, vote counting can be 
performed even if any number of distributed counter devices U- 
L or less should break down. 
Modified embodiment example 2 

Similarly, by applying the method of Desmedt-Frankel to the 
distributed decryption processing unit 331 and combination 
decryption unit in embodiment example No. 3 (Figures 9, 10A 
and 10B), vj can be decrypted so long as intermediate decrypted 
data is obtained by L or more (2 < L < U-l) distributed counter 
devices out of the distributed counter devices 300 1 through 
300lm. For example, if distributed counter devices 300j to 
300u-l broke down, the vote content v { can be decrypted by 
providing the intermediate decrypted data x\\j-l+\ to x {U from the 
remaining distributed counter devices 300u_ L +i to 300u to the 
combination decryption unit 332 of distributed counter device 
300u and applying decryption processing Vj = pc(xju-i+i, *iu-L+2> 
Xju) thereto. The validity of the obtained vote content Vj is 
verified by the counting device 340, and if valid, 1 is added to 
the polling score of the candidates corresponding to v,- in the 
poling score list in memory 320. 

{0053} In this modified embodiment example, if the 
constitution of all the distributed counter devices 300j to 300u is 
made the same as that shown in Figure 10B, even if any number 
of distributed counter devices U-L or less should break down, 
vote counting can be performed by having a remaining one 
perform the same operation as the distributed counter device in 
Figure 10B. 

{0054} Each of the devices shown in Figures 3 to 5, 8A, 8B, 
10A and 10B are shown in terms of their functional constitution; 
each of these functions can also be implemented by providing a 
control unit to cause the operations to be performed 
successively; furthermore all or part of them can be executed by 
a computer. 
{0055} 

{Effect of the invention} As described above, in this invention, 
the vote content Vj is encrypted with the counter's public key k PC , 
so there is no need for the voter to transmit a key to the counter 
in order to encrypt the vote content. 

{0056} When there are multiple counters, the ballot opening 
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operation will not begin unless the agreement of all counters is 
obtained. 

{0057} Furthermore, when a specified number of counters can 
open ballots, the ballot opening operation can be started once 
legitimate counters come together to a certain extent, allowing 
the effect of fraudulent persons or saboteurs to be eliminated. 
{0058} Furthermore, even if a counter should tamper with the 
vote content, tampering with vote content can be detected by 
perusing the published summary of vote content. That is, when 
one's own vote was not used, it suffices to disclose the encoded 
ballot Zj and the election administrator's signature Vj and claim 
impropriety. Here, if there is a certain number of fraudulent 
counters, privacy when filing an objection is guaranteed. 
{0059} Moreover, when multiple counters are provided, in this 
invention, since the vote content is transmitted encrypted, 
improprieties such as a counter leaking the midway progress to 
influence an election while ballots are being collected can be 
prevented. 

{0060} As per the above, with this invention, voter convenience 
can be improved by using the counter's encryption key, and 
furthermore, by providing multiple counters, improprieties such 
as influencing an election by leaking the midway progress can 
be resolved, 

{Brief description of the drawings} 

{Figure 1} A block diagram showing the overall constitution of 
an election system according embodiment example No. 1 of this 
invention. 

{Figure 2} A is a table showing an eligible voter list; B is a 
table showing a voter list; C is a table showing a vote list; D is a 
table showing a vote list; E is a polling score list. 
{Figure 3} A block diagram showing an example of the 
functional constitution of a voter device 100. 
{Figure 4} A block diagram showing an example of the 
functional constitution of an election administrator device 300. 
{Figure 5} A block diagram showing an example of the 
functional constitution of a counter device 400. 
{Figure 6} A diagram showing the vote processing procedure. 
{Figure 7} A block diagram showing the overall constitution of 
an election system according to embodiment example No. 2. 
{Figure 8} A is a block diagram showing an example of the 
functional constitution of distributed counter device 300 j in 
Figure 7; B is a block diagram showing the functional 
constitution of distributed counter devices 300 2 to 300u in 
Figure 7. 

{Claim 9} A block diagram showing the overall constitution of 
a voting system according to embodiment example No. 3. 
{Claim 10} A is a block diagram showing the functional 
constitution of distributed counter device 300j to 300vj_i in 
Figure 9; B is a block diagram showing the functional 
constitution of distributed counter device 300u in Figure 9. 
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{Amendment of proceedings} 

{Submission date} 22 November 1999 (1999.11.22) 

{Amendment of proceedings 1 } 

{Title of document amended} Specification 

{Title of item amended} Claim 7 

{Method of amendment} Modification 

{Content of amendment} 



{Claim 7} 

An electronic voting method as per Claim 1 or 2, wherein said 
step (a) comprises the step of generating a voter signature for 
said preprocessed text and transmitting it together with said 
preprocessed text to said administrator device, and wherein said 
step (b) comprises the step of verifying the authenticity of said 
voter signature for said preprocessed text . 
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[00 15] 02tCC©»WC©aai7 , a-fe^(C*JW4 
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9-KBC©J/^f-AtnA»tt. "3* OaWUcfflST 
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(S 1 3) . BE£KB*&©C©A£-CJ:l.» 
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(54) {Title of invention} Electronic voting method and program recording medium therefor 
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(57) {Abstract} 

{Problem} To conceal the correspondence between voter name 
and vote content from persons other than the voter. 
{Solution} The ballot opener generates a public key 
cryptography encryption key and decryption key (SI) and 
distributes tie encryption key to all voters (S2); the voter asks 
the authenticator to issue a voting ID (S3); the authenticator 
issues a voting ID to the voter (S4); the voter encrypts the vote 
content with the encryption key (S6) and sends the encrypted 
vote and voting ID to the authenticator (S7); the authenticator 
authenticates the legitimacy of the vote (S8) and sends a list of 
encrypted votes and voting IDs to the ballot opener (SI 1); the 
ballot opener decrypts the encrypted votes with the decryption 
key, counts the votes, and publishes the voting results together 
with the voting IDs (S13). 
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SI : Encryption/decryption key generation (processing A) 

S2: Encryption key (Kp) distribution 

S3: Voting ID request 

S4: Voting ID issuance 

S5: Voting ID distribution 

S6: Vote content generation/encryption 

S7: Vote (encrypted with Kp), voting ID 

S8: Voting ID authentication (processing B) 

S9: (encrypted) Vote list publication 



Figure 1 

SI0: Confirmation/correction of vote 

SI 1 : Vote (encrypted with Kp), voting ID 

S12: Decryption (opening of ballots) (processing C) 

SI 3: Voting results notification (broadcast) 

S14, S15: Inquiry request 

S16, S17: Inquiry response 

A: Voter device 

B: Authenticator device 

C: Ballot opener device 
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{Scope of patent Claims} 

{Claim 1} An electronic voting method using a network, 
distinguished in that: 

a voter device sends the vote to an authenticator device; 
the authenticator device confirms the voter's identity, that the 
vote was cast by the voter in question, and that the vote was not 
cast in duplicate, 

and if all those confirmations are successful, sends the vote send 

to a ballot opener device; and 

the ballot opener device opens the received vote. 

{Claim 2} An electronic voting method as described in Claim 1, 

distinguished in that the ballot opener device generates a public 

key cryptography encryption key and decryption key and 

distributes the encryption key to the voter devices; 

the voter device encrypts votes and sends them to an 

authenticator device; 

the ballot opener device decrypts the encrypted votes with the 
decryption key and opens them. 

{Claim 3} An electronic voting method as described in Claim 1 
or 2, distinguished in that: 

the voter device requests issuance of a voting ID from the 
authenticator device; 

the authenticator device responds to that issuance request by 
issuing a voting ID and distributing it to the user device; 
the voter device appends the voting ED to the vote sent to the 
authenticator device; 

the authenticator device appends the voting ID to the vote sent 
to the ballot opener device; 

the ballot opener device publishes the relationship between 
opened and counted votes and the corresponding voting IDs as 
the voting results to the voter device. 

{Claim 4} An electronic voting method as described in Claims 1 
through 3, distinguished in that: 

the voter device transmits the vote with personal information 
such as name, age and sex appended thereto; 
the authenticator device attaches that personal information 
which it is permissible to publish to the vote and sends it to the 
ballot opener device. 

{Claim 5} A recording medium with a program recorded 
thereon, which causes a voter device computer, in an electronic 
voting method using a network wherein a voter device casts a 
vote via an authenticator device to a ballot opener device, to 
perform: 

processing of making a voting ID issuance request to the 
authenticator device; 

processing of acquiring a voting ID from the authenticator 
device; 

processing of generating vote content and encrypting that vote 
content to generate a vote; 

processing of sending that vote to the authenticator device; 
processing of receiving a vote content confirmation request 
from the authenticator device; 

processing of performing vote generation processing again if 
there are any modifications to the vote content; and 
processing of sending a vote content confirmation response to 
the authenticator device if there are no modifications to the vote 
content. 

{Claim 6} A recording medium with a program recorded 
thereon, which causes an authenticator device computer in an 
electronic voting method using a network, wherein a voter 
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device casts a vote via an authenticator device to a ballot opener 
device, to perform: 

processing of receiving a voting ID issuance request from a 
voter device; 

processing of issuing a voting ID; 

processing of transmitting an issued voting ID to the voter 
device; 

processing of authenticating the legitimacy a received vote; 
processing of authenticating the identity of the voter using a 
received certificate; 

processing of authenticating that a received vote was cast by a 
real voter; 

processing of authenticating that a received vote is not a 
duplicate vote; 

processing of collecting votes received within the voting period 
and generating a list thereof; and 

processing of sending the vote list to a ballot opener device. 
{Claim 7} A recording medium as described in Claim 6, 
distinguished in that said processing of authenticating 
legitimacy comprises: 

processing of authenticating the identity of the voter using a 
received certificate; 

processing of authenticating that the received vote was cast by a 
real voter; and 

processing of authenticating that the received vote is not a 
duplicate vote. 

{Claim 8} A recording medium as described in Claim 6 or 7, 
distinguished in that said program comprises a program which 
causes said computer to execute: 

processing of receiving an inquiry request from said voter 
device; 

processing of transmitting the received inquiry request to the 
ballot opener device; 

processing of receiving an inquiry response from the ballot 
opener device; and 

processing of transmitting the received inquiry response to the 
voter device. 

{Claim 9} Recording medium as described in Claims 6 through 
8, distinguished in that said program comprises a program 
which causes said computer to execute: 

after said legitimacy authentication processing, processing of 
making a vote content confirmation request to the voter device; 
and 

processing of receiving a vote content confirmation response 
from the voter device. 

{Claim 10} A recording medium with a program recorded 
thereon which causes a ballot opener device computer, in an 
electronic voting method using a network wherein a voter 
device casts a vote via an authenticator device to a ballot opener 
device, to perform: 

processing of generating an encryption key and decryption key 
pair; 

processing of distributing said encryption key to the voter 
device; 

processing of acquiring a vote list from the authenticator device; 
processing of decrypting the encrypted votes in the vote list and 
counting the votes; and 

processing of publishing the counted voting results. 

{Claim 11} Recording medium as described in Claim 10, 

distinguished in that said program comprises a program which 
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causes said computer to execute: 

processing of receiving an inquiry request from the 
authenticator device; and 

processing of transmitting an inquiry response for the received 
inquiry request to the authenticator device. 
{Detailed description of the invention} 
{0001} 

{Technical field of the invention} This invention relates to 
electronic voting methods which, in conducting electronic 
voting via a network, allow the voter to conceal the 
correspondence between voter name and vote content from 
persons other than the voter, including the ballot opener, as well 
as to program recording media therefor. 
{0002} 

{Prior art} Electronic voting whereby votes are cast via a 
network is known. For example, it is used in conducting 
popularity contests on the internet. Here, the conditions required 
for use in elections, and the like, where strict precision in 
electronic voting is necessary, are as follows. 
{0003} 

1. Votes must be cast only by eligible voters. 

2. Duplicate voting is not possible. 

3. It is not possible to find out the content of other people's 
votes. 

4. Other people's votes cannot be duplicated. 

5. It must be possible to discover if anyone has committed 
improprieties (forgery or deletion) with vote content. 

6. All voters must be able to confirm before end of voting that 
their vote was valid. 

Electronic voting schemes which fulfill these conditions include 
Schneier's electronic voting protocol. This is performed in 
electronic voting between two parties, the voter and the ballot 
opener. The procedure taken when a voter votes is that the ballot 
opener performs authentication of the voter, judges the 
legitimacy of the vote and opens the ballot, and reflects the vote 
content in the count results. Here, since the ballot opener 
receives the vote directly from the voter, he becomes able to 
find out the correspondence between voter name and vote 
content. In this case, the voter's vote content flows over a 
network, and voters who vote via a network have demands to 
the effect that the voter's personal ideas, intentions and other 
such private information not become known to other persons. 
{0004} Figure 6 shows a conventional electronic voting 
scheme. In Figure 6, voting, authentication and ballot opening is 
performed between two parties, the voter and the ballot opener. 
First, the voter, in order to vote, sends a notification of desire to 
vote to the ballot opener (SI). The ballot opener issues and 
delivers a voting ID to the voter who issued a notification of 
desire to vote (S2, S3), and the voter who has received a voting 
ID generates a key pair, which is a public key/private key (S4). 
Using these keys, the voter generates and encrypts the vote 
content (S5), and sends it together with the voting ID to the 
ballot opener (S6). Having received this, the ballot opener 
performs authentication of the voting ID (S7), generates an 
encrypted vote list, and publishes it to the voter (S8). The voter 
confirms the list and if there are corrections or the like, casts the 
vote again (S9). If the published vote content is adequate, the 
voter sends the decryption key for opening the ballot of that vote 
together with the voting ID (S10). Once the vote content has 
been settled on, after expiration of a specified period of time, the 
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ballot opener decrypts and opens the ballots (Sll), and 
publishes the vote counting results to the voters (SI 2). 
{0005} The distinguishing features of this method are indicated 
below. 

1. A voting ID is given to eligible voters, which serves as an 
identifier giving them the right to vote (processing SI, S2). 

2. The number of times a voter voted is checked by means of the 
voting ID (processing S7). 

3. Encryption is performed on the vote content (processing S4, 
S5). 

{0006} 4. Attacks from third parties are prevented by appending 
a digital signature and certificate (processing S6, S9, S 1 0). 

5. Tracing is enabled by retaining a list of voting IDs and voter 
names (S2). 

6. Legitimacy of the voting is disclosed by presenting voting 
IDs in the count results (S8, SI 2). 

{0007} 

{Problems to be solved by the invention} In the prior art, there 
was a problem in that the ballot opener could obtain both the 
voter name and the vote content. Namely, the ballot opener 
could find out the correspondence between voter name and vote 
content, and privacy protection could not be provided to the 
voter. The objective of this invention is to provide an electronic 
voting method which allows the voter to conceal the 
correspondence between voter name and vote content from 
persons other than the voter, including the ballot opener, thereby 
concealing what he voted for, and which furthermore has the 
function of preventing and tracing double voting or improper 
voting, and allows the voter to confirm that his vote was valid 
{0008} 

{Means of solving the problem} As a method of achieving the 
aforementioned objective, in this invention, an authenticator 
device is provided as an intermediary device between the voter 
device and ballot opener device, which separates the 
correspondence between voter name and vote content while 
authenticating the voter. Furthermore, when an authenticator 
device is provided, it is necessary to conceal the vote content 
from the authenticator device in order for the authenticator 
device to receive a vote from the voter device, so encryption is 
performed on the vote content which allows the ballot to be 
opened only by the ballot opener device. The generation of 
encryption and decryption keys for this purpose is performed by 
the ballot opener device, while the encryption of the vote is 
performed by the voter device itself, thereby concealing the vote 
content from persons other than the voter, except for the ballot 
opener. 

{0009} The voter device receives the key for encrypting the 
vote from the ballot opener device. The voter device is 
distinguished in that it has the functions of performing voting ID 
issuance processing whereby it transmits a voting ID issuance 
request to the authenticator device to obtain a voting ID which is 
needed when voting, as a result of which a voting ID issuance 
response is received and a voting ID is obtained; vote casting 
processing whereby it acquires a voting ID, generates and 
encrypts the vote content, transmits a vote casting request to the 
authenticator device, receives a vote casting reply from the 
authenticator device, and subsequently transmits the encrypted 
vote content together with the voting ID to the authenticator 
device, receives a vote content confirmation request from the 
authenticator device, and if there are no modifications, transmits 
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a vote content confirmation response to the authenticator device; 
voting result notification processing which allows the results of 
voting and the validity of one's own vote to be confirmed; and 
inquiry processing regarding the voting results. 
{0010} The authenticator device is distinguished in that it has 
the functions of performing voting ID issuance processing 
whereby it receives a voting ID issuance request from the voter 
device, issues a voting ID and as a result transmits a voting ID 
issuance response to the voter device; authentication processing 
whereby it receives a voting request from the voter device, 
replies with a voting response, receives the vote, and confirms 
the legitimacy of the vote; vote casting processing whereby it 
transmits a vote content confirmation request to the voter device 
and receives a vote content confrrmation response from the 
voter device; vote list deposit processing whereby it generates a 
vote list and transmits a vote list deposit request to the ballot 
opener device, receives a vote list deposit response from the 
ballot opener device, and performs vote list distribution to the 
ballot opener device; and inquiry processing whereby it receives 
an inquiry request from the voter device, transmits an inquiry 
request to the ballot opener device, receives an inquiry response 
from the ballot opener device, and transmits an inquiry response 
to the voter device. 

{0011} The ballot opener device is distinguished in that it has 
die functions of performing encryption key distribution 
processing whereby it distributes the encryption key generated 
by encryption and decryption key generation processing to the 
voter device; vote list deposit processing whereby it receives a 
vote list deposit request from die authenticator device, answers 
with a vote list deposit response, and receives the vote list; 
voting result notification processing whereby it opens (decrypts) 
the vote list, counts the votes, and distributes the voting results 
to the voter devices; and inquiry processing whereby it receives 
an inquiry request from the authenticator device and transmits 
an inquiry response to the authenticator device. 
Operation 

By providing an authenticator device which authenticates the 
voter as an intermediary device, the ballot opener device 
becomes unable to discern the voter name, as a result of which 
the voter's privacy is protected in relation to the ballot opener. 
{0012} Furthermore, when an authenticator device is provided, 
the ballot opener device generates an encryption key and 
decryption key for the votes. Public key encryption is used as 
the encryption scheme. Here, the authenticator device distributes 
the generated encryption key in advance to the voter devices, 
while keeping the decryption key secret. This allows the voter 
device to perform encryption on the vote content, allowing the 
vote content to be concealed from persons other than the voter, 
except for the ballot opener. 
{0013} 

{Modes of embodiment of the invention} An outline of the 
electronic voting method of this invention whereby an 
intermediary (authenticator device) is provided and the ballot 
opener device is made the device which generates the key for 
encrypting vote content is shown in Figure 1. First, the ballot 
opener device generates an encryption key (public key) and 
decryption key (private key) (SI) (processing A), and distributes 
the encryption key Kp to the voter devices (S2). The voter 
device request a voting ID which is needed when voting from 
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the authenticator device (S3), and the authenticator device issues 
a voting ID (S4) and distributes it to the voter device (S5). The 
correspondence between the voting ID and voter device is stored 
in the authenticator device. 

{0014} The voter device uses the encryption key Kp obtained 
from the ballot opener device to encrypt the vote content (S6) 
and transmits the encrypted vote and voting ID to the 
authenticator device (S7). Receiving this, the authenticator 
device performs voter authentication (S8) (processing B), and if 
legitimacy of the vote can be established, transfers the vote and 
its voting ID to the ballot opener device (SI 1). Here, if required, 
the authenticator device publishes an encrypted vote list to the 
voter device and request corifirrnation of vote content (S9), the 
voter device confirms the vote content and votes again if there 
are any modifications (S10). The authenticator device which has 
received a vote cannot perform improper opening of the ballot 
since it does not have the decryption key. The ballot opener 
device, having received a voter device's vote from the 
authenticator device, opens the ballot using the decryption key 
(SI 2) (processing C), and the ballot opening results are 
communicated to all voter devices via a broadcast (SI 3) 
(processing D). If a voter's own voting ID is contained in the 
vote content in the ballot opening results, it means his ballot was 
correctly opened; if his voting ID is not contained there, the 
voter sends an inquiry request to the authenticator device (SI 4), 
and the authenticator device sends the inquiry request to the 
ballot opener device (SI 5). The ballot opener device sends a 
response to the inquiry to the authenticator device (SI 6), and the 
authenticator device sends that inquiry response to the user 
device (SI 7). 

{0015} Figure 2 shows the processing involved in the voting 
process in this invention. First, in the encryption key distribution 
processing, the ballot opener device generates the encryption 
key and decryption key for performing encryption on the vote 
content for the voter devices. The encryption key generated here 
is distributed to all the voter devices. In the voting ID issuance 
processing, the authenticator device issues and provides the 
voting ID needed when voting to the voter device. The vote 
casting processing is carried out when a vote is actually cast. 
The vote list deposit processing is executed when the vote list 
generated from votes collected by the authenticator device is 
provided to the ballot opener device. Inquiry processing is 
executed when a voter device makes an inquiry regarding the 
voting results. 

{0016} Figure 3 shows a flow chart of the voter device in this 
invention. First, it is necessary to obtain the voter ID and 
password for receiving the service via an existing WWW 
browser (SI). If they have been acquired, the voting service can 
be used; if they have not been acquired, a voter ID and password 
issuance request is made (S2). Namely, a voter ID and password 
correspond to the qualifications for participating in this system, 
i.e. to the right to vote. By entering a voter ID and password, an 
encryption key can be obtained (S3). Next, the possession of a 
certificate needed for voting is confirmed (S4), and if it is not in 
possession, issuance of a certificate is requested (S5). If it is in 
possession, selection of the certificate is carried out (S6). The 
certificate selected here is used to transmit to the authenticator 
device when voting. That is, the certificate serves to authenticate 
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the identity of the voter; the certificate is issued by an 
authenticating authority and comprises certification by the 
authenticating authority of the name or identifier (ID) of the 
voter, as well as his public key and the like. A voter device for 
instance encrypts a random number R with the secret key 
corresponding to its public key and sends the encrypted random 
number R and the certificate to the authenticator device; the 
authenticator device decrypts the encrypted random number 
with the certificate's public key, and if the decryption results are 
equal to the received R, the person holding the secret key 
corresponding to that public key is considered to match the 
person with the name on that certificate and his identify is 
authenticated. Just as multiple credit cards are used, this 
certificate may also be issued by multiple authenticating 
authorities, in which case selection of a certificate becomes 
necessary. 

{0017} When actually voting, a voting ID required for each 
instance of voting becomes necessary. In order to acquire a 
voting ID, a voting ID issuance request is transmitted to the 
authenticator device (S7), reception of a voting ID issuance 
response is awaited (S8), and a voting ID is obtained (S9). If a 
voting ID has previously been acquired, a previously issued 
voting ID is acquired. Next, voting request to cast a vote is 
made (for example, a request for ballot) (S10), and then the 
voting response is received (for example, a ballot) (SI 1). Next, 
vote content is generated and encryption processing is 
performed (SI 2). If one has already voted, a confirmation of the 
previously cast vote content is transmitted. If one has not yet 
voted, a vote can be cast (SI 3). A vote content confirmation is 
made in response to an inquiry as to whether this content from 
the authenticator device is acceptable (SI 4), and if there are no 
modifications (SI 5), vote content confirmation response 
processing indicating that there are no modifications is carried 
out (SI 6), while if there are modifications, one returns to step 
S12, generates vote content anew and re- votes. Subsequently, 
once the voting deadline has expired and voting results have 
reached the voter (SI 7), confirmation of voting results is 
performed (SI 8), and the validity of one's own vote is 
confirmed (SI 9, S20). 

{0018} Figure 4 shows a flow chart of the authenticator device 
in this invention. If the authenticator device does not possess a 
certificate necessary for the series of voting services (SI), it 
requests issuance of a certificate (S2), and if does possess one, 
the certificate is selected (S3). The various types of processing 
are performed using the certificate selected here. The device 
waits to receive a request (S4). If the request received is a voting 
ID issuance request (S5), the device examines whether or not a 
voting ID has been issued based on a table of voters and voting 
IDs (S6), performs issuance of a voting ID if none has been 
issued (S7), adds that voting ID to the table of voters and voting 
IDs, and transmits the voting ID to the voter device (S8). If one 
has previously been issued, the previously issued voting ID is 
transmitted. Furthermore, if the request received is a vote 
casting request (S9), the device examines whether or not a vote 
has been cast (S10), and if a vote was already cast, it request the 
voter device to confirm the content of the previously cast vote 
(SI 1), i.e. obtains confirmation if such content is acceptable. If 
no vote has yet been cast, it accepts a vote (SI 2), and performs 
processing to authenticate the vote's legitimacy (S13). Namely, 
the identity of the voter is confirmed through identity 
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authentication using the certificate that was received at the same 
time, the vote is confirmed to be the voter's by checking the 
correspondence between the voter and voting ID sent at the 
same time against the table of voter IDs and voters maintained 
by the authenticator device, and the vote is confirmed not to be a 
duplicate vote by confirming that a vote was not already cast 
based on the received voting ID. 

{0019} If all these confirmations are successful, the voter 
device is requested to confirm the vote content (SI 1). A vote 
content confirmation response is received from the voter device, 
and if there are any modifications to the vote content (SI 4), the 
authenticator device returns to step S13 and performs 
authentication processing, while if there are no modifications to 
the vote content, the confirmed vote is stored (S15). Once the 
voting deadline has expired (SI 6), the stored votes are collected 
to generate a vote list (SI 7). In order to provide this vote list to 
the ballot opener device, a vote list deposit request (an inquiry 
as to whether a vote list may be sent) is transmitted to the ballot 
opener device (SI 8), and a response is awaited (SI 9). If a 
response to the effect that the list may be sent is received, a vote 
list is delivered to the ballot opener device (S20). Furthermore, 
if the request received is an inquiry request (S21), that inquiry 
request is sent to the ballot opener device (S22), and upon 
receiving an inquiry response to that inquiry request from the 
ballot opener device (S23), that inquiry response is returned to 
the voter device (S24), and the authenticator device returns to a 
request reception standby state of step S4. When performing the 
above transmissions from the authenticator device to the voter 
device or ballot opener device, a certificate is appended to the 
transmission content, allowing the device receiving it to 
authenticate that it was indeed received from the authenticator 
device, i.e. to authenticate the sender's identity. 
{0020} Figure 5 shows the flow chart of the ballot opener 
device in this invention. If the ballot opener device does not 
possess a certificate necessary for the series of voting services 
(SI), it requests issuance of a certificate (S2), and if does 
possess one, the certificate is selected (S3). The various types of 
processing are performed using the certificate selected here. 
First, the encryption key used on the vote content when voting is 
generated (S4) and distributed to voter devices (S5). Thereafter, 
the device enters a request reception standby state (S6). Here, if 
the request received is a vote list deposit request (an inquiry as 
to whether a vote list may be transmitted) from the authenticator 
device (S7), a vote list deposit response (ready to receive) is 
transmitted to the authenticator device (S8), and a vote list is 
acquired from the authenticator device (S9). Opening 
(decryption) of ballots is performed on this vote list and the 
votes are counted (S10), and the voting results are transmitted to 
all the voter devices (SI 1). Voting IDs with which votes were 
cast are attached to the voting results, enabling the voter to 
confirm that his vote was cast correctly based on his voting ID. 
Furthermore, if the request received is an inquiry request (SI 2-), 
the inquiry response is returned to the authenticator device and 
the ballot opener device returns to the request reception standby 
state of step S6 (SI 3). 

{002 1 } In the above, the voting ID may be omitted if there is no 
need to find out the validity of one's own vote. Furthermore, in 
order to confirm that the content of a vote has been correctly 
generated by the voter himself and has not been forged, a digital 
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signature may be appended to the vote content encrypted by the 
voter device, and verification of this signature performed by the 
authenticator device. Furthermore, if the voter device sends 
personal information such as name, age and sex together with 
the vote to the authenticator device and the authenticator device 
sends the personal information which it is considered acceptable 
to publish to the ballot opener device, analytical data showing 
the age differences, sex differences, etc. relating to items on the 
ballot can be generated when voting results are counted. 
{0022} 

{Effect of the invention} According to this invention as 
described above, an authenticator device is provided as an 
intermediary device between the voter device and ballot opener 
device and is made to carry out voter authentication tasks, the 
key for encrypting the voter's vote content is generated by the 
ballot opener device, and the encryption key is delivered before 
the voter device performs voting, thereby yielding the effect of 
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concealing the correspondence between voter name and vote 
content from persons other than the voter and ensuring that the 
voter's privacy is protected. 
{Brief description of the drawings} 

{Figure 1} A drawing which shows the electronic voting 
procedure of this invention. 

{Figure 2} A drawing which shows the types of processing in 
this invention. 

{Figure 3} A drawing which shows the processing procedure of 
the voter device. 

{Figure 4} A figure which shows the processing procedure of 
the authenticator device. 

{Figure 5} A figure which shows the processing procedure of 
the ballot opener device. 

{Figure 6} A figure which shows the procedure of a 
conventional electronic voting method 
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Figure 1 



SI : Encryption/decryption key 
generation (processing A) 

S2: Encryption key (Kp) distribution 

S3: Voting ID request 

S4: Voting ID issuance 

S5: Voting ID distribution 

S6: Vote content 

generation/encryption 

S7: Vote (encrypted with Kp), voting 
ID 

S8: Voting ID authentication 

(processing B) 
S9: (encrypted) vote list publication 



S10: Confirmation/correction of vote 
S 1 1 : Vote (encrypted with Kp), 

voting ID 
SI 2: Decryption (opening of ballots) 

(processing C) 
SI 3: Voting results notification 

(broadcast) 
SI 4, SI 5: Inquiry request 
SI 6, SI 7: Inquiry response 
A: Voter device 
B: Authenticator device 
C: Ballot opener device 
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Figure 2 

A: Voter device p; 

B: Authenticator device R; 

C: Ballot opener device Q: 

D: Encryption key distribution S: 

processing T: 

E: Voting ID issuance processing U: 

F: Voting ID issuance request V: 
G: Voting ID issuance response 

H: Voting ID issuance processing W: 
I: Vote content generation/encryption 

processing X: 

J: Vote casting processing Y: 

K: Vote casting request Z: 

L: Vote casting response AA: 

M: Vote casting BB: 

N: Vote content confirmation request CC: 
O: Vote content confirmation response 



Vote collection processing 
Vote list generation 
Vote list deposit processing 
Vote list deposit request 
Vote list deposit response 
Vote list distribution 
Voting results notification 
processing 

Ballot opening (decryption) 
processing 

Vote results counting 
Vote results confirmation 
Inquiry processing 
Inquiry request/response 
Inquiry processing 
Inquiry request/response 
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Figure 3 



A: Start 
B:End 

C: Vote has been cast 
D: Vote has not been cast 
SI : User ID, password acquired? 
S2: Request issuance of user ID, 

password 
S3: Acquire encryption key 
S4: Certificate acquired? 
S5: Request issuance of certificate 
S6: Selection of certificate 
S7: Transmit voting ID issuance 

request 

S8: Voting ID issuance response 

received? 
S9: Acquire voting ID 



S 1 0: Transmit vote casting request 
Sll : Vote casting response received? 
SI 2: Vote content 

generation/encryption processing 
SI 3: Cast vote 

SI 4: Vote content confirmation request 
received? 

SI 5: No modifications to vote content? 
SI 6: Transmit vote content 

confirmation response 
SI 7: Voting results were delivered? 
SI 8: Voting results confirmation 

processing 
SI 9: No errors? 
S20: Inquiry processing 
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Figure 4 




A: Start 

B: In case of voting ID issuance 
request 

C: In case of inquiry request 

D: In case of vote casting request 

SI: Certificate acquired? 

S2: Request issuance of certificate 

S3: Selection of certificate 

S4: Request received 

S5: Voting ID issuance request 

received 
S6: Voting ID not issued yet? 
S7: Voting ID issuance processing 
S8: Transmit voting ID issuance 

response (voting ID) 
S9: Vote casting request received 
S10: No vote cast yet? 
Sll: Transmit vote content 
confirmation request 



SI 2: Transmit vote casting response 
S 1 3: Vote acquisition/authentication 

processing 
SI 4: Was vote content modified? 
SI 5: Receive vote content 

confirmation response 
SI 6: Voting deadline expired? 
SI 7: Vote collection/list generation 

processing 
SI 8: Transmit vote list deposit request 
SI 9: Vote list deposit response 

received? 
S20: Vote list delivery 
S21 : Receive inquiry request 
S22: Transmit inquiry request 
S23: Receive inquiry response 
S24: Transmit inquiry response 
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{Figure 5} 
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Figure 5 



A: Start 

B: In case of inquiry request 

C: In case of vote list deposit request 

SI : Certificate acquired? 

S2: Request issuance of certificate 

S3: Selection of certificate 

S4: Encryption key/decryption key 

generation 
S5: Encryption key distribution 
S6: Request received 



S7: Vote list deposit request received 
S8: Transmit vote list deposit 

response 
S9: Acquire vote list 
S10: Ballot opening (decryption), 

counting processing 
SI 1 : Transmit voting results 
SI 2: Inquiry request received 
SI 3: Transmit inquiry response 



A: Voter device 

B: Ballot opener device 

SI: Voting ID request 

S2: Voting ID issuance (processing 

S3: Voting ID distribution 

S4: Encryption key/decryption key 

generation 
S5: Vote content 

generation/encryption 



S6: Vote (encrypted), voting ID 
S7: Voting ID authentication 
S8: (encrypted) vote list publication 
A) S9: Vote confirmation/correction 
S10: Decryption key, voting ID 
Sll : Decryption (ballot opening) 

(processing B) 
SI 2: Voting results notification 
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